diff --git a/core/modules/contact/src/ContactMessageAccessControlHandler.php b/core/modules/contact/src/ContactMessageAccessControlHandler.php
new file mode 100644
index 0000000000000000000000000000000000000000..89fe9582b5075a19f56144b4344a989758be8899
--- /dev/null
+++ b/core/modules/contact/src/ContactMessageAccessControlHandler.php
@@ -0,0 +1,27 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\contact\ContactMessageAccessControlHandler.
+ */
+
+namespace Drupal\contact;
+
+use Drupal\Core\Access\AccessResult;
+use Drupal\Core\Entity\EntityAccessControlHandler;
+use Drupal\Core\Session\AccountInterface;
+
+/**
+ * Defines the access control handler for the message form entity type.
+ *
+ * @see \Drupal\contact\Entity\Message.
+ */
+class ContactMessageAccessControlHandler extends EntityAccessControlHandler {
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL) {
+    return AccessResult::allowedIfHasPermission($account, 'access site-wide contact form');
+  }
+}
diff --git a/core/modules/contact/src/Entity/Message.php b/core/modules/contact/src/Entity/Message.php
index d9967e2f98b9fb2ee503a8b98f8dbc127fe9d031..c7df0981d1674c0e2a2e4844a09827ec6aae1434 100644
--- a/core/modules/contact/src/Entity/Message.php
+++ b/core/modules/contact/src/Entity/Message.php
@@ -19,12 +19,14 @@
  *   id = "contact_message",
  *   label = @Translation("Contact message"),
  *   handlers = {
+ *     "access" = "Drupal\contact\ContactMessageAccessControlHandler",
  *     "storage" = "Drupal\Core\Entity\ContentEntityNullStorage",
  *     "view_builder" = "Drupal\contact\MessageViewBuilder",
  *     "form" = {
  *       "default" = "Drupal\contact\MessageForm"
  *     }
  *   },
+ *   admin_permission = "administer contact forms",
  *   entity_keys = {
  *     "bundle" = "contact_form",
  *     "uuid" = "uuid"
diff --git a/core/modules/contact/src/Tests/MessageEntityTest.php b/core/modules/contact/src/Tests/MessageEntityTest.php
index f888345f539c86ed19abc67f813d8d310c42056f..52c78a27228d3a3d1f8ca1d0b4627c2901a557f4 100644
--- a/core/modules/contact/src/Tests/MessageEntityTest.php
+++ b/core/modules/contact/src/Tests/MessageEntityTest.php
@@ -7,7 +7,7 @@
 namespace Drupal\contact\Tests;
 
 use Drupal\contact\Entity\Message;
-use Drupal\simpletest\KernelTestBase;
+use Drupal\system\Tests\Entity\EntityUnitTestBase;
 
 /**
  * Tests the message entity class.
@@ -15,7 +15,7 @@
  * @group contact
  * @see \Drupal\contact\Entity\Message
  */
-class MessageEntityTest extends KernelTestBase {
+class MessageEntityTest extends EntityUnitTestBase {
 
   /**
    * Modules to enable.
@@ -62,6 +62,15 @@ public function testMessageMethods() {
     $this->assertEqual($message->getSenderName(), 'sender_name');
     $this->assertEqual($message->getSenderMail(), 'sender_mail');
     $this->assertTrue($message->copySender());
+
+    $no_access_user = $this->createUser(['uid' => 2]);
+    $access_user = $this->createUser(['uid' => 3], ['access site-wide contact form']);
+    $admin = $this->createUser(['uid' => 4], ['administer contact forms']);
+
+    $this->assertFalse(\Drupal::entityManager()->getAccessControlHandler('contact_message')->createAccess(NULL, $no_access_user));
+    $this->assertTrue(\Drupal::entityManager()->getAccessControlHandler('contact_message')->createAccess(NULL, $access_user));
+    $this->assertTrue($message->access('edit', $admin));
+    $this->assertFalse($message->access('edit', $access_user));
   }
 
 }