diff --git a/internal/db/migrations/postgres.gen.go b/internal/db/migrations/postgres.gen.go
index ba59016fc9..104f4ac827 100644
--- a/internal/db/migrations/postgres.gen.go
+++ b/internal/db/migrations/postgres.gen.go
@@ -654,7 +654,6 @@ before
 delete on iam_scope
   for each row execute procedure disallow_global_scope_deletion();
 
-
 create trigger 
   update_time_column 
 before update on iam_scope 
@@ -938,6 +937,24 @@ before
 insert on iam_role_grant
   for each row execute procedure default_create_time();
 
+create or replace function
+  disallow_r_default_deletion()
+  returns trigger
+as $$
+begin
+  if old.public_id = 'r_default' then
+    raise exception 'deletion of r_default not allowed';
+  end if;
+  return old;
+end;
+$$ language plpgsql;
+
+create trigger
+  iam_role_disallow_global_deletion
+before
+delete on iam_role
+  for each row execute procedure disallow_r_default_deletion();
+
 create trigger 
   update_version_column
 after update on iam_role
diff --git a/internal/db/migrations/postgres/06_iam.up.sql b/internal/db/migrations/postgres/06_iam.up.sql
index 083b61966e..89dea1b893 100644
--- a/internal/db/migrations/postgres/06_iam.up.sql
+++ b/internal/db/migrations/postgres/06_iam.up.sql
@@ -136,7 +136,6 @@ before
 delete on iam_scope
   for each row execute procedure disallow_global_scope_deletion();
 
-
 create trigger 
   update_time_column 
 before update on iam_scope 
@@ -420,6 +419,24 @@ before
 insert on iam_role_grant
   for each row execute procedure default_create_time();
 
+create or replace function
+  disallow_r_default_deletion()
+  returns trigger
+as $$
+begin
+  if old.public_id = 'r_default' then
+    raise exception 'deletion of r_default not allowed';
+  end if;
+  return old;
+end;
+$$ language plpgsql;
+
+create trigger
+  iam_role_disallow_global_deletion
+before
+delete on iam_role
+  for each row execute procedure disallow_r_default_deletion();
+
 create trigger 
   update_version_column
 after update on iam_role
diff --git a/internal/iam/repository_role_test.go b/internal/iam/repository_role_test.go
index 7a56d7335c..30661ff124 100644
--- a/internal/iam/repository_role_test.go
+++ b/internal/iam/repository_role_test.go
@@ -494,14 +494,27 @@ func TestRepository_DeleteRole(t *testing.T) {
 			name: "no-public-id",
 			args: args{
 				role: func() *Role {
-					g := allocRole()
-					return &g
+					r := allocRole()
+					return &r
 				}(),
 			},
 			wantRowsDeleted: 0,
 			wantErr:         true,
 			wantErrMsg:      "delete role: missing public id invalid parameter",
 		},
+		{
+			name: "r_default",
+			args: args{
+				role: func() *Role {
+					r := allocRole()
+					r.PublicId = "r_default"
+					return &r
+				}(),
+			},
+			wantRowsDeleted: 0,
+			wantErr:         true,
+			wantErrMsg:      `deletion of r_default not allowed`,
+		},
 		{
 			name: "not-found",
 			args: args{
diff --git a/internal/servers/controller/handlers/roles/role_service.go b/internal/servers/controller/handlers/roles/role_service.go
index 3c9a4acc0a..b65f349278 100644
--- a/internal/servers/controller/handlers/roles/role_service.go
+++ b/internal/servers/controller/handlers/roles/role_service.go
@@ -620,7 +620,14 @@ func validateUpdateRequest(req *pbs.UpdateRoleRequest) error {
 }
 
 func validateDeleteRequest(req *pbs.DeleteRoleRequest) error {
-	return handlers.ValidateDeleteRequest(iam.RolePrefix, req, handlers.NoopValidatorFn)
+	return handlers.ValidateDeleteRequest(iam.RolePrefix, req, func() map[string]string {
+		if req.GetId() == "r_default" {
+			return map[string]string{
+				"id": `Deleting "r_default" is not allowed`,
+			}
+		}
+		return nil
+	})
 }
 
 func validateListRequest(req *pbs.ListRolesRequest) error {
diff --git a/internal/servers/controller/handlers/roles/role_service_test.go b/internal/servers/controller/handlers/roles/role_service_test.go
index bf95a4c7ee..95c6f1b884 100644
--- a/internal/servers/controller/handlers/roles/role_service_test.go
+++ b/internal/servers/controller/handlers/roles/role_service_test.go
@@ -284,6 +284,14 @@ func TestDelete(t *testing.T) {
 			},
 			errCode: codes.NotFound,
 		},
+		{
+			name:    "Delete default role",
+			scopeId: "global",
+			req: &pbs.DeleteRoleRequest{
+				Id: "r_default",
+			},
+			errCode: codes.InvalidArgument,
+		},
 		{
 			name:    "Bad Role Id formatting",
 			scopeId: or.GetPublicId(),