diff --git a/app/src/Controller/Component/AuthorizationComponent.php b/app/src/Controller/Component/AuthorizationComponent.php
index 113536678..f90259ab8 100644
--- a/app/src/Controller/Component/AuthorizationComponent.php
+++ b/app/src/Controller/Component/AuthorizationComponent.php
@@ -78,13 +78,13 @@ protected function getPermissions($username) {
         continue;
       }
       
-      if($mgid) {
+      if($p == PermissionEnum::PlatformAdmin) {
+        $this->userPermissions[$username]['cmadmin'] = true;
+      } elseif($mgid) {
         // Currently Permissions are hierarchical (ie: MatchgridAdmin implies
         // ReconciliationManager), but this could change in the future, so we
         // track everything separately.
         $this->userPermissions[$username]['matchgrids'][$mgid][$p] = true;
-      } elseif($p == PermissionEnum::PlatformAdmin) {
-        $this->userPermissions[$username]['cmadmin'] = true;
       }
     }
     
diff --git a/app/src/Lib/Traits/ValidationTrait.php b/app/src/Lib/Traits/ValidationTrait.php
index 5ff364e4f..49491b7ec 100644
--- a/app/src/Lib/Traits/ValidationTrait.php
+++ b/app/src/Lib/Traits/ValidationTrait.php
@@ -34,6 +34,42 @@
 namespace App\Lib\Traits;
 
 trait ValidationTrait {
+  /**
+   * Perform a conditional validation check, where if a select value matches an
+   * array of values, then another field must not be empty. In theory we should be
+   * able to do this with Cake native conditional validation, but if a field is
+   * not required and null, then Cake doesn't run validation on the value.
+   *
+   * To configure this validation rule, use setProvider():
+   * 
+   *  $validator->setProvider('conditionalRequire', [
+   *                          'inArray' => [valuesThatRequireOtherField],
+   *                          'require' => 'field_to_require',
+   *                          'label'   => 'field label, for use in error message']);
+   *
+   * Note this validation rule is applied on the value that must always be set,
+   * which will result in the validation error being unintuitively placed on the
+   * "wrong" attribute.
+   *
+   * @since  COmanage Common v1.0.0
+   * @param  string $value   Value to validate
+   * @param  array  $context Validation context
+   * @return mixed  True if $value validates, or an error string otherwise
+   */
+  
+  public function validateConditionalRequire($value, array $context) {
+    // What component are we?
+    $COmponent = __('product.code');
+    
+    if(!empty($value)
+       && in_array($value, $context['providers']['conditionalRequire']['inArray'])
+       && empty($context['data'][ $context['providers']['conditionalRequire']['require'] ])) {
+      return __($COmponent.'.er.input.condreq', [$context['providers']['conditionalRequire']['label']]);
+    }
+    
+    return true;
+  }
+  
   /**
    * Determine if a string submitted from a form is valid input.
    *
diff --git a/app/src/Locale/en_US/default.po b/app/src/Locale/en_US/default.po
index 7f92c2be8..7e81b0886 100644
--- a/app/src/Locale/en_US/default.po
+++ b/app/src/Locale/en_US/default.po
@@ -194,6 +194,9 @@ msgstr "Invalid format"
 msgid "match.er.input.blank"
 msgstr "Value cannot consist of only blank characters"
 
+msgid "match.er.input.condreq"
+msgstr "When this value is selected, {0} cannot be empty"
+
 msgid "match.er.input.invalid"
 msgstr "Invalid character found"
 
diff --git a/app/src/Model/Table/PermissionsTable.php b/app/src/Model/Table/PermissionsTable.php
index 99166ab83..5c15d470b 100644
--- a/app/src/Model/Table/PermissionsTable.php
+++ b/app/src/Model/Table/PermissionsTable.php
@@ -36,6 +36,7 @@
 
 class PermissionsTable extends Table {
   use \App\Lib\Traits\AutoViewVarsTrait;
+  use \App\Lib\Traits\ValidationTrait;
   
   /**
    * Perform Cake Model initialization.
@@ -116,6 +117,20 @@ public function validationDefault(Validator $validator) {
         PermissionEnum::None
       ] ] ]
     );
+    $validator->add(
+      'permission',
+      'conditionalRequire',
+      [ 'rule' => 'validateConditionalRequire',
+        'provider' => 'table' ]
+    );
+    $validator->setProvider('conditionalRequire', [
+      'inArray' => [ PermissionEnum::MatchgridAdmin,
+                     PermissionEnum::ReconciliationManager,
+                     PermissionEnum::ReconciliationSupport
+      ],
+      'require' => 'matchgrid_id',
+      'label' => __('match.ct.matchgrids', [1])
+    ]);
     $validator->notEmpty('permission');
     
     return $validator; 
diff --git a/app/src/Template/Permissions/fields.inc b/app/src/Template/Permissions/fields.inc
index 0f318768d..711ecd9ca 100644
--- a/app/src/Template/Permissions/fields.inc
+++ b/app/src/Template/Permissions/fields.inc
@@ -37,13 +37,14 @@ use \App\Lib\Enum\PermissionEnum;
     
     if(perm == '<?= PermissionEnum::PlatformAdmin ?>') {
       $("#matchgrid-id").closest('li').hide();
+      // Blank out Matchgrid ID
+      document.getElementById('matchgrid-id').selectedIndex = 0;
     } else {
       $("#matchgrid-id").closest('li').show('fade');
     }
   }
   
   function js_local_onload() {
-// XXX this doesn't run, probably because comanage.js doesn't load correctly?
     fields_update_gadgets();
   }
 </script>
@@ -56,5 +57,5 @@ if($action == 'add' || $action == 'edit') {
                               ['empty' => true,
                                'onChange' => 'fields_update_gadgets();']);
   
-  print $this->Field->control('matchgrid_id');
+  print $this->Field->control('matchgrid_id', ['empty' => true]);
 }
\ No newline at end of file