diff --git a/app/controllers/api/base_controller/renderer.rb b/app/controllers/api/base_controller/renderer.rb
index 616a03848a..29f8de7c77 100644
--- a/app/controllers/api/base_controller/renderer.rb
+++ b/app/controllers/api/base_controller/renderer.rb
@@ -413,7 +413,7 @@ def expand_subcollection(json, sc, sctype, subresources)
       def gen_action_spec_for_collections(collection, cspec, is_subcollection, href)
         if is_subcollection
           target = :subcollection_actions
-          cspec_target = cspec[target] || collection_config.typed_subcollection_actions(@req.collection, collection)
+          cspec_target = collection_config.typed_subcollection_actions(@req.collection, collection) || cspec[target]
         else
           target = :collection_actions
           cspec_target = cspec[target]
diff --git a/spec/requests/services_spec.rb b/spec/requests/services_spec.rb
index 0e8d44e0e9..3cb020a299 100644
--- a/spec/requests/services_spec.rb
+++ b/spec/requests/services_spec.rb
@@ -1182,6 +1182,15 @@ def expect_svc_with_vms
       expect(response).to have_http_status(:ok)
       expect(response.parsed_body).to include(expected)
     end
+
+    it "does not return invalid actions" do
+      api_basic_authorize(subcollection_action_identifier(:services, :generic_objects, :read, :get),
+                          collection_action_identifier(:generic_objects, :create))
+
+      get(api_service_generic_objects_url(nil, svc))
+
+      expect(response.parsed_body.key?('actions')).to be_falsey
+    end
   end
 
   context "service custom_attributes" do