diff --git a/rbac/management/migrations/0012_remove_RonR_resources.py b/rbac/management/migrations/0012_remove_RonR_resources.py
new file mode 100644
index 000000000..e7b8e919c
--- /dev/null
+++ b/rbac/management/migrations/0012_remove_RonR_resources.py
@@ -0,0 +1,36 @@
+# Generated by Django 2.2.4 on 2019-11-26 17:03
+
+from django.db import migrations, models
+
+
+def remove_rbac_roles(apps, schema_editor):
+    # get all permissions/access objects for RBAC
+    Access = apps.get_model('management', 'Access')
+    rbac_permissions = Access.objects.filter(permission__contains='rbac:')
+
+    # iterate through all RBAC permissions
+    for rbac_permission in rbac_permissions:
+        # get the role for the permission (bubbling up)
+        role = rbac_permission.role
+
+        # check to see if there are any access objects that are not RBAC
+        non_rbac_permissions = role.access.exclude(permission__contains='rbac:')
+
+        # if so, just delete the access object we know is RBAC, and leave the role
+        if non_rbac_permissions:
+            # this will still delete the resource definitions for the access object
+            rbac_permission.delete()
+        else:
+            # otherwise, we only have RBAC access objects, so delete everything
+            role.delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('management', '0011_group_naming'),
+    ]
+
+    operations = [
+        migrations.RunPython(remove_rbac_roles)
+    ]