diff --git a/src/server/saved_objects/service/create_saved_objects_service.js b/src/server/saved_objects/service/create_saved_objects_service.js
index ff68b5eaee2833..fd471cad2dd23d 100644
--- a/src/server/saved_objects/service/create_saved_objects_service.js
+++ b/src/server/saved_objects/service/create_saved_objects_service.js
@@ -17,6 +17,7 @@
  * under the License.
  */
 
+import { getRootPropertiesObjects } from '../../mappings';
 import { SavedObjectsRepository, ScopedSavedObjectsClientProvider, SavedObjectsRepositoryProvider } from './lib';
 import { SavedObjectsClient } from './saved_objects_client';
 
@@ -58,15 +59,16 @@ export function createSavedObjectsService(server) {
     }
   };
 
+  const mappings = server.getKibanaIndexMappingsDsl();
   const repositoryProvider = new SavedObjectsRepositoryProvider({
     index: server.config().get('kibana.index'),
-    mappings: server.getKibanaIndexMappingsDsl(),
+    mappings,
     onBeforeWrite,
   });
 
   const scopedClientProvider = new ScopedSavedObjectsClientProvider({
     index: server.config().get('kibana.index'),
-    mappings: server.getKibanaIndexMappingsDsl(),
+    mappings,
     onBeforeWrite,
     defaultClientFactory({
       request,
@@ -81,6 +83,7 @@ export function createSavedObjectsService(server) {
   });
 
   return {
+    types: Object.keys(getRootPropertiesObjects(mappings)),
     SavedObjectsClient,
     SavedObjectsRepository,
     getSavedObjectsRepository: (...args) =>
diff --git a/x-pack/plugins/security/common/constants.js b/x-pack/plugins/security/common/constants.js
new file mode 100644
index 00000000000000..1b762d5f15acc6
--- /dev/null
+++ b/x-pack/plugins/security/common/constants.js
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const ALL_RESOURCE = '*';
diff --git a/x-pack/plugins/security/index.js b/x-pack/plugins/security/index.js
index 5e4602d4480844..b86489171ff269 100644
--- a/x-pack/plugins/security/index.js
+++ b/x-pack/plugins/security/index.js
@@ -8,7 +8,7 @@ import { resolve } from 'path';
 import { getUserProvider } from './server/lib/get_user';
 import { initAuthenticateApi } from './server/routes/api/v1/authenticate';
 import { initUsersApi } from './server/routes/api/v1/users';
-import { initRolesApi } from './server/routes/api/v1/roles';
+import { initPublicRolesApi } from './server/routes/api/public/roles';
 import { initIndicesApi } from './server/routes/api/v1/indices';
 import { initLoginView } from './server/routes/views/login';
 import { initLogoutView } from './server/routes/views/logout';
@@ -16,7 +16,12 @@ import { validateConfig } from './server/lib/validate_config';
 import { authenticateFactory } from './server/lib/auth_redirect';
 import { checkLicense } from './server/lib/check_license';
 import { initAuthenticator } from './server/lib/authentication/authenticator';
-import { mirrorPluginStatus } from '../../server/lib/mirror_plugin_status';
+import { initPrivilegesApi } from './server/routes/api/v1/privileges';
+import { SecurityAuditLogger } from './server/lib/audit_logger';
+import { AuditLogger } from '../../server/lib/audit_logger';
+import { SecureSavedObjectsClient } from './server/lib/saved_objects_client/secure_saved_objects_client';
+import { initAuthorizationService, registerPrivilegesWithCluster } from './server/lib/authorization';
+import { watchStatusAndLicenseToInitialize } from './server/lib/watch_status_and_license_to_initialize';
 
 export const security = (kibana) => new kibana.Plugin({
   id: 'security',
@@ -37,6 +42,14 @@ export const security = (kibana) => new kibana.Plugin({
         hostname: Joi.string().hostname(),
         port: Joi.number().integer().min(0).max(65535)
       }).default(),
+      authorization: Joi.object({
+        legacyFallback: Joi.object({
+          enabled: Joi.boolean().default(true)
+        }).default()
+      }).default(),
+      audit: Joi.object({
+        enabled: Joi.boolean().default(false)
+      }).default(),
     }).default();
   },
 
@@ -64,21 +77,24 @@ export const security = (kibana) => new kibana.Plugin({
 
       return {
         secureCookies: config.get('xpack.security.secureCookies'),
-        sessionTimeout: config.get('xpack.security.sessionTimeout')
+        sessionTimeout: config.get('xpack.security.sessionTimeout'),
       };
     }
   },
 
   async init(server) {
-    const thisPlugin = this;
+    const plugin = this;
+
+    const config = server.config();
     const xpackMainPlugin = server.plugins.xpack_main;
-    mirrorPluginStatus(xpackMainPlugin, thisPlugin);
+    const xpackInfo = xpackMainPlugin.info;
+
+    const xpackInfoFeature = xpackInfo.feature(plugin.id);
 
     // Register a function that is called whenever the xpack info changes,
     // to re-compute the license check results for this plugin
-    xpackMainPlugin.info.feature(thisPlugin.id).registerLicenseCheckResultsGenerator(checkLicense);
+    xpackInfoFeature.registerLicenseCheckResultsGenerator(checkLicense);
 
-    const config = server.config();
     validateConfig(config, message => server.log(['security', 'warning'], message));
 
     // Create a Hapi auth scheme that should be applied to each request.
@@ -88,20 +104,59 @@ export const security = (kibana) => new kibana.Plugin({
     // automatically assigned to all routes that don't contain an auth config.
     server.auth.strategy('session', 'login', 'required');
 
+    // exposes server.plugins.security.authorization
+    initAuthorizationService(server);
+
+    watchStatusAndLicenseToInitialize(xpackMainPlugin, plugin, async (license) => {
+      if (license.allowRbac) {
+        await registerPrivilegesWithCluster(server);
+      }
+    });
+
+    const auditLogger = new SecurityAuditLogger(server.config(), new AuditLogger(server, 'security'));
+
+    const { savedObjects } = server;
+    savedObjects.setScopedSavedObjectsClientFactory(({
+      request,
+    }) => {
+      const adminCluster = server.plugins.elasticsearch.getCluster('admin');
+      const { callWithRequest, callWithInternalUser } = adminCluster;
+      const callCluster = (...args) => callWithRequest(request, ...args);
+
+      const callWithRequestRepository = savedObjects.getSavedObjectsRepository(callCluster);
+
+      if (!xpackInfoFeature.getLicenseCheckResults().allowRbac) {
+        return new savedObjects.SavedObjectsClient(callWithRequestRepository);
+      }
+
+      const { authorization } = server.plugins.security;
+      const checkPrivileges = authorization.checkPrivilegesWithRequest(request);
+      const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
+
+      return new SecureSavedObjectsClient({
+        internalRepository,
+        callWithRequestRepository,
+        errors: savedObjects.SavedObjectsClient.errors,
+        checkPrivileges,
+        auditLogger,
+        savedObjectTypes: savedObjects.types,
+        actions: authorization.actions,
+      });
+    });
+
     getUserProvider(server);
 
     await initAuthenticator(server);
     initAuthenticateApi(server);
     initUsersApi(server);
-    initRolesApi(server);
+    initPublicRolesApi(server);
     initIndicesApi(server);
+    initPrivilegesApi(server);
     initLoginView(server, xpackMainPlugin);
     initLogoutView(server);
 
     server.injectUiAppVars('login', () => {
-      const pluginId = 'security';
-      const xpackInfo = server.plugins.xpack_main.info;
-      const { showLogin, loginMessage, allowLogin } = xpackInfo.feature(pluginId).getLicenseCheckResults() || {};
+      const { showLogin, loginMessage, allowLogin } = xpackInfo.feature(plugin.id).getLicenseCheckResults() || {};
 
       return {
         loginState: {
diff --git a/x-pack/plugins/security/public/lib/api.js b/x-pack/plugins/security/public/lib/api.js
index 908a0ceaf31035..a41afcc0d4a3f8 100644
--- a/x-pack/plugins/security/public/lib/api.js
+++ b/x-pack/plugins/security/public/lib/api.js
@@ -6,7 +6,7 @@
 import chrome from 'ui/chrome';
 
 const usersUrl = chrome.addBasePath('/api/security/v1/users');
-const rolesUrl = chrome.addBasePath('/api/security/v1/roles');
+const rolesUrl = chrome.addBasePath('/api/security/role');
 
 export const createApiClient = (httpClient) => {
   return {
diff --git a/x-pack/plugins/security/public/services/application_privilege.js b/x-pack/plugins/security/public/services/application_privilege.js
new file mode 100644
index 00000000000000..615188cad33d7f
--- /dev/null
+++ b/x-pack/plugins/security/public/services/application_privilege.js
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import 'angular-resource';
+import { uiModules } from 'ui/modules';
+
+const module = uiModules.get('security', ['ngResource']);
+module.service('ApplicationPrivileges', ($resource, chrome) => {
+  const baseUrl = chrome.addBasePath('/api/security/v1/privileges');
+  return $resource(baseUrl);
+});
diff --git a/x-pack/plugins/security/public/services/shield_privileges.js b/x-pack/plugins/security/public/services/shield_privileges.js
index aabd0a95b26cab..a00b326ab82da3 100644
--- a/x-pack/plugins/security/public/services/shield_privileges.js
+++ b/x-pack/plugins/security/public/services/shield_privileges.js
@@ -35,5 +35,6 @@ module.constant('shieldPrivileges', {
     'create_index',
     'view_index_metadata',
     'read_cross_cluster',
-  ]
+  ],
+  applications: []
 });
diff --git a/x-pack/plugins/security/public/services/shield_role.js b/x-pack/plugins/security/public/services/shield_role.js
index 1954415f0384bd..3ee73dbad57dbb 100644
--- a/x-pack/plugins/security/public/services/shield_role.js
+++ b/x-pack/plugins/security/public/services/shield_role.js
@@ -5,11 +5,20 @@
  */
 
 import 'angular-resource';
+import { omit } from 'lodash';
+import angular from 'angular';
 import { uiModules } from 'ui/modules';
 
 const module = uiModules.get('security', ['ngResource']);
 module.service('ShieldRole', ($resource, chrome) => {
-  return $resource(chrome.addBasePath('/api/security/v1/roles/:name'), {
+  return $resource(chrome.addBasePath('/api/security/role/:name'), {
     name: '@name'
+  }, {
+    save: {
+      method: 'PUT',
+      transformRequest(data) {
+        return angular.toJson(omit(data, 'name', 'transient_metadata', '_unrecognized_applications'));
+      }
+    }
   });
 });
diff --git a/x-pack/plugins/security/public/views/management/edit_role.html b/x-pack/plugins/security/public/views/management/edit_role.html
index f547788606cc32..490e1c0e8f8c5e 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.html
+++ b/x-pack/plugins/security/public/views/management/edit_role.html
@@ -1,8 +1,10 @@
 <kbn-management-app section="security" omit-breadcrumb-pages="['edit']">
   <!-- This content gets injected below the localNav. -->
   <div class="kuiViewContent kuiViewContent--constrainedWidth kuiViewContentItem">
+
     <!-- Subheader -->
     <div class="kuiBar kuiVerticalRhythm">
+
       <div class="kuiBarSection">
         <!-- Title -->
         <h1 class="kuiTitle">
@@ -39,6 +41,18 @@ <h1 class="kuiTitle">
       </div>
     </div>
 
+    <div class="kuiBar kuiVerticalRhythm" ng-if="otherApplications.length > 0">
+      <div class="kuiInfoPanel kuiInfoPanel--warning">
+        <div class="kuiInfoPanelHeader">
+          <span class="kuiInfoPanelHeader__icon kuiIcon kuiIcon--warning fa-warning"></span>
+          <span class="kuiInfoPanelHeader__title">
+            This role contains application privileges for the {{ otherApplications.join(', ') }} application(s) that can't be edited.
+            If they are for other instances of Kibana, you must manage those privileges on that Kibana instance.
+          </span>
+        </div>
+      </div>
+    </div>
+
     <!-- Form -->
     <form name="form" novalidate class="kuiVerticalRhythm">
       <!-- Name -->
@@ -56,7 +70,7 @@ <h1 class="kuiTitle">
           ng-model="role.name"
           required
           pattern="[a-zA-Z_][a-zA-Z0-9_@\-\$\.]*"
-          maxlength="30"
+          maxlength="1024"
           data-test-subj="roleFormNameInput"
         />
 
@@ -87,15 +101,36 @@ <h1 class="kuiTitle">
               <input
                 class="kuiCheckBox"
                 type="checkbox"
-                ng-checked="includes(role.cluster, privilege)"
-                ng-click="toggle(role.cluster, privilege)"
+                ng-checked="includes(role.elasticsearch.cluster, privilege)"
+                ng-click="toggle(role.elasticsearch.cluster, privilege)"
                 ng-disabled="role.metadata._reserved || !isRoleEnabled(role)"
+                data-test-subj="clusterPrivileges-{{privilege}}"
               />
               <span class="kuiOptionLabel">{{privilege}}</span>
             </label>
           </div>
         </div>
 
+        <!-- Kibana custom privileges -->
+        <div class="kuiFormSection">
+          <label class="kuiFormLabel">
+            Kibana Privileges
+          </label>
+
+          <div ng-repeat="(key, value) in kibanaPrivilegesViewModel">
+            <label>
+              <input
+                class="kuiCheckBox"
+                type="checkbox"
+                ng-model="kibanaPrivilegesViewModel[key]"
+                ng-disabled="role.metadata._reserved || !isRoleEnabled(role)"
+                data-test-subj="kibanaPrivileges-{{key}}"
+              />
+              <span class="kuiOptionLabel">{{key}}</span>
+            </label>
+          </div>
+        </div>
+
         <!-- Run-as privileges -->
         <div class="kuiFormSection">
           <label class="kuiFormLabel">
@@ -103,7 +138,7 @@ <h1 class="kuiTitle">
           </label>
           <ui-select
             multiple
-            ng-model="role.run_as"
+            ng-model="role.elasticsearch.run_as"
             ng-disabled="role.metadata._reserved || !isRoleEnabled(role)"
           >
             <ui-select-match placeholder="Add a user...">
@@ -119,7 +154,7 @@ <h1 class="kuiTitle">
         <div class="kuiFormSection">
           <kbn-index-privileges-form
             is-new-role="editRole.isNewRole"
-            indices="role.indices"
+            indices="role.elasticsearch.indices"
             index-patterns="indexPatterns"
             privileges="privileges"
             field-options="editRole.fieldOptions"
@@ -140,7 +175,7 @@ <h1 class="kuiTitle">
             class="kuiButton kuiButton--primary"
             ng-click="saveRole(role)"
             ng-if="!role.metadata._reserved && isRoleEnabled(role)"
-            ng-disabled="form.$invalid || !areIndicesValid(role.indices)"
+            ng-disabled="form.$invalid || !areIndicesValid(role.elasticsearch.indices)"
             data-test-subj="roleFormSaveButton"
           >
             Save
diff --git a/x-pack/plugins/security/public/views/management/edit_role.js b/x-pack/plugins/security/public/views/management/edit_role.js
index ab32caf4b2f53c..d2c7dd2cb39d80 100644
--- a/x-pack/plugins/security/public/views/management/edit_role.js
+++ b/x-pack/plugins/security/public/views/management/edit_role.js
@@ -11,6 +11,7 @@ import { toggle } from 'plugins/security/lib/util';
 import { isRoleEnabled } from 'plugins/security/lib/role';
 import template from 'plugins/security/views/management/edit_role.html';
 import 'angular-ui-select';
+import 'plugins/security/services/application_privilege';
 import 'plugins/security/services/shield_user';
 import 'plugins/security/services/shield_role';
 import 'plugins/security/services/shield_privileges';
@@ -22,6 +23,42 @@ import { checkLicenseError } from 'plugins/security/lib/check_license_error';
 import { GateKeeperProvider } from 'plugins/xpack_main/services/gate_keeper';
 import { EDIT_ROLES_PATH, ROLES_PATH } from './management_urls';
 
+const getKibanaPrivilegesViewModel = (applicationPrivileges, roleKibanaPrivileges) => {
+  const viewModel = applicationPrivileges.reduce((acc, applicationPrivilege) => {
+    acc[applicationPrivilege.name] = false;
+    return acc;
+  }, {});
+
+  if (!roleKibanaPrivileges || roleKibanaPrivileges.length === 0) {
+    return viewModel;
+  }
+
+  const assignedPrivileges = _.uniq(_.flatten(_.pluck(roleKibanaPrivileges, 'privileges')));
+  assignedPrivileges.forEach(assignedPrivilege => {
+    // we don't want to display privileges that aren't in our expected list of privileges
+    if (assignedPrivilege in viewModel) {
+      viewModel[assignedPrivilege] = true;
+    }
+  });
+
+  return viewModel;
+};
+
+const getKibanaPrivileges = (kibanaPrivilegesViewModel) => {
+  const selectedPrivileges = Object.keys(kibanaPrivilegesViewModel).filter(key => kibanaPrivilegesViewModel[key]);
+
+  // if we have any selected privileges, add a single application entry
+  if (selectedPrivileges.length > 0) {
+    return [
+      {
+        privileges: selectedPrivileges
+      }
+    ];
+  }
+
+  return [];
+};
+
 routes.when(`${EDIT_ROLES_PATH}/:name?`, {
   template,
   resolve: {
@@ -46,11 +83,19 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
           });
       }
       return new ShieldRole({
-        cluster: [],
-        indices: [],
-        run_as: []
+        elasticsearch: {
+          cluster: [],
+          indices: [],
+          run_as: [],
+        },
+        kibana: [],
+        _unrecognized_applications: []
       });
     },
+    applicationPrivileges(ApplicationPrivileges, kbnUrl, Promise, Private) {
+      return ApplicationPrivileges.query().$promise
+        .catch(checkLicenseError(kbnUrl, Promise, Private));
+    },
     users(ShieldUser, kbnUrl, Promise, Private) {
       // $promise is used here because the result is an ngResource, not a promise itself
       return ShieldUser.query().$promise
@@ -75,6 +120,12 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     $scope.users = $route.current.locals.users;
     $scope.indexPatterns = $route.current.locals.indexPatterns;
     $scope.privileges = shieldPrivileges;
+
+    const applicationPrivileges = $route.current.locals.applicationPrivileges;
+    const role = $route.current.locals.role;
+    $scope.kibanaPrivilegesViewModel = getKibanaPrivilegesViewModel(applicationPrivileges, role.kibana);
+    $scope.otherApplications = role._unrecognized_applications;
+
     $scope.rolesHref = `#${ROLES_PATH}`;
 
     this.isNewRole = $route.current.params.name == null;
@@ -95,8 +146,11 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     };
 
     $scope.saveRole = (role) => {
-      role.indices = role.indices.filter((index) => index.names.length);
-      role.indices.forEach((index) => index.query || delete index.query);
+      role.elasticsearch.indices = role.elasticsearch.indices.filter((index) => index.names.length);
+      role.elasticsearch.indices.forEach((index) => index.query || delete index.query);
+
+      role.kibana = getKibanaPrivileges($scope.kibanaPrivilegesViewModel);
+
       return role.$save()
         .then(() => toastNotifications.addSuccess('Updated role'))
         .then($scope.goToRoleList)
@@ -133,13 +187,14 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
     $scope.allowDocumentLevelSecurity = xpackInfo.get('features.security.allowRoleDocumentLevelSecurity');
     $scope.allowFieldLevelSecurity = xpackInfo.get('features.security.allowRoleFieldLevelSecurity');
 
-    $scope.$watch('role.indices', (indices) => {
+    $scope.$watch('role.elasticsearch.indices', (indices) => {
       if (!indices.length) $scope.addIndex(indices);
       else indices.forEach($scope.fetchFieldOptions);
     }, true);
 
     $scope.toggle = toggle;
     $scope.includes = _.includes;
+
     $scope.union = _.flow(_.union, _.compact);
   }
 });
diff --git a/x-pack/plugins/security/server/lib/__tests__/__fixtures__/server.js b/x-pack/plugins/security/server/lib/__tests__/__fixtures__/server.js
index acc211eb0647ea..78a015bc141058 100644
--- a/x-pack/plugins/security/server/lib/__tests__/__fixtures__/server.js
+++ b/x-pack/plugins/security/server/lib/__tests__/__fixtures__/server.js
@@ -35,7 +35,13 @@ export function serverFixture() {
       security: {
         getUser: stub(),
         authenticate: stub(),
-        deauthenticate: stub()
+        deauthenticate: stub(),
+        authorization: {
+          checkPrivilegesWithRequest: stub(),
+          actions: {
+            login: 'stub-login-action',
+          },
+        },
       },
 
       xpack_main: {
diff --git a/x-pack/plugins/security/server/lib/__tests__/check_license.js b/x-pack/plugins/security/server/lib/__tests__/check_license.js
index 63f25022267745..bd5420af37d00e 100644
--- a/x-pack/plugins/security/server/lib/__tests__/check_license.js
+++ b/x-pack/plugins/security/server/lib/__tests__/check_license.js
@@ -18,7 +18,6 @@ describe('check_license', function () {
       feature: sinon.stub(),
       license: sinon.stub({
         isOneOf() {},
-        isActive() {}
       })
     };
 
@@ -35,13 +34,13 @@ describe('check_license', function () {
       showLinks: false,
       allowRoleDocumentLevelSecurity: false,
       allowRoleFieldLevelSecurity: false,
+      allowRbac: false,
       loginMessage: 'Login is currently disabled. Administrators should consult the Kibana logs for more details.'
     });
   });
 
   it('should not show login page or other security elements if license is basic.', () => {
     mockXPackInfo.license.isOneOf.withArgs(['basic']).returns(true);
-    mockXPackInfo.license.isActive.returns(true);
     mockXPackInfo.feature.withArgs('security').returns({
       isEnabled: () => { return true; }
     });
@@ -53,13 +52,13 @@ describe('check_license', function () {
       showLinks: false,
       allowRoleDocumentLevelSecurity: false,
       allowRoleFieldLevelSecurity: false,
+      allowRbac: false,
       linksMessage: 'Your Basic license does not support Security. Please upgrade your license.'
     });
   });
 
   it('should not show login page or other security elements if security is disabled in Elasticsearch.', () => {
     mockXPackInfo.license.isOneOf.withArgs(['basic']).returns(false);
-    mockXPackInfo.license.isActive.returns(true);
     mockXPackInfo.feature.withArgs('security').returns({
       isEnabled: () => { return false; }
     });
@@ -71,93 +70,45 @@ describe('check_license', function () {
       showLinks: false,
       allowRoleDocumentLevelSecurity: false,
       allowRoleFieldLevelSecurity: false,
+      allowRbac: false,
       linksMessage: 'Access is denied because Security is disabled in Elasticsearch.'
     });
   });
 
-  it('should allow to login but forbid document level security if license is not platinum, trial or basic.', () => {
-    const isBasicOrTrialOrPlatinumMatcher = sinon.match(
-      (licenses) => licenses.includes('basic')
-        || licenses.includes('trial')
-        || licenses.includes('platinum')
-    );
+  it('should allow to login and allow RBAC but forbid document level security if license is not platinum or trial.', () => {
     mockXPackInfo.license.isOneOf
-      .returns(true)
-      .withArgs(isBasicOrTrialOrPlatinumMatcher).returns(false);
+      .returns(false)
+      .withArgs(['platinum', 'trial']).returns(false);
     mockXPackInfo.feature.withArgs('security').returns({
       isEnabled: () => { return true; }
     });
 
-    mockXPackInfo.license.isActive.returns(true);
     expect(checkLicense(mockXPackInfo)).to.be.eql({
       showLogin: true,
       allowLogin: true,
       showLinks: true,
       allowRoleDocumentLevelSecurity: false,
-      allowRoleFieldLevelSecurity: false
-    });
-
-    mockXPackInfo.license.isActive.returns(false);
-    expect(checkLicense(mockXPackInfo)).to.be.eql({
-      showLogin: true,
-      allowLogin: true,
-      showLinks: true,
-      allowRoleDocumentLevelSecurity: false,
-      allowRoleFieldLevelSecurity: false
+      allowRoleFieldLevelSecurity: false,
+      allowRbac: true,
     });
   });
 
-  it('should allow to login and document level security if license is platinum.', () => {
+  it('should allow to login, allow RBAC and document level security if license is platinum or trial.', () => {
     mockXPackInfo.license.isOneOf
       .returns(false)
-      .withArgs(sinon.match((licenses) => licenses.includes('platinum'))).returns(true);
+      .withArgs(['platinum', 'trial']).returns(true);
     mockXPackInfo.feature.withArgs('security').returns({
       isEnabled: () => { return true; }
     });
 
-    mockXPackInfo.license.isActive.returns(true);
     expect(checkLicense(mockXPackInfo)).to.be.eql({
       showLogin: true,
       allowLogin: true,
       showLinks: true,
       allowRoleDocumentLevelSecurity: true,
-      allowRoleFieldLevelSecurity: true
-    });
-
-    mockXPackInfo.license.isActive.returns(false);
-    expect(checkLicense(mockXPackInfo)).to.be.eql({
-      showLogin: true,
-      allowLogin: true,
-      showLinks: true,
-      allowRoleDocumentLevelSecurity: true,
-      allowRoleFieldLevelSecurity: true
+      allowRoleFieldLevelSecurity: true,
+      allowRbac: true,
     });
   });
 
-  it('should allow to login and document level security if license is trial.', () => {
-    mockXPackInfo.license.isOneOf
-      .returns(false)
-      .withArgs(sinon.match((licenses) => licenses.includes('trial'))).returns(true);
-    mockXPackInfo.feature.withArgs('security').returns({
-      isEnabled: () => { return true; }
-    });
-
-    mockXPackInfo.license.isActive.returns(true);
-    expect(checkLicense(mockXPackInfo)).to.be.eql({
-      showLogin: true,
-      allowLogin: true,
-      showLinks: true,
-      allowRoleDocumentLevelSecurity: true,
-      allowRoleFieldLevelSecurity: true
-    });
-
-    mockXPackInfo.license.isActive.returns(false);
-    expect(checkLicense(mockXPackInfo)).to.be.eql({
-      showLogin: true,
-      allowLogin: true,
-      showLinks: true,
-      allowRoleDocumentLevelSecurity: true,
-      allowRoleFieldLevelSecurity: true
-    });
-  });
 });
diff --git a/x-pack/plugins/security/server/lib/__tests__/validate_config.js b/x-pack/plugins/security/server/lib/__tests__/validate_config.js
index 84f098ae442dd9..26d84f6f5559b4 100644
--- a/x-pack/plugins/security/server/lib/__tests__/validate_config.js
+++ b/x-pack/plugins/security/server/lib/__tests__/validate_config.js
@@ -16,7 +16,8 @@ describe('Validate config', function () {
   beforeEach(() => {
     config = {
       get: sinon.stub(),
-      set: sinon.stub()
+      getDefault: sinon.stub(),
+      set: sinon.stub(),
     };
     log.resetHistory();
   });
diff --git a/x-pack/plugins/security/server/lib/audit_logger.js b/x-pack/plugins/security/server/lib/audit_logger.js
new file mode 100644
index 00000000000000..22cf207e3d363a
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/audit_logger.js
@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export class SecurityAuditLogger {
+  constructor(config, auditLogger) {
+    this._enabled = config.get('xpack.security.audit.enabled');
+    this._auditLogger = auditLogger;
+  }
+
+  savedObjectsAuthorizationFailure(username, action, types, missing, args) {
+    if (!this._enabled) {
+      return;
+    }
+
+    this._auditLogger.log(
+      'saved_objects_authorization_failure',
+      `${username} unauthorized to ${action} ${types.join(',')}, missing ${missing.join(',')}`,
+      {
+        username,
+        action,
+        types,
+        missing,
+        args
+      }
+    );
+  }
+
+  savedObjectsAuthorizationSuccess(username, action, types, args) {
+    if (!this._enabled) {
+      return;
+    }
+
+    this._auditLogger.log(
+      'saved_objects_authorization_success',
+      `${username} authorized to ${action} ${types.join(',')}`,
+      {
+        username,
+        action,
+        types,
+        args,
+      }
+    );
+  }
+}
diff --git a/x-pack/plugins/security/server/lib/audit_logger.test.js b/x-pack/plugins/security/server/lib/audit_logger.test.js
new file mode 100644
index 00000000000000..2157cf514755b6
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/audit_logger.test.js
@@ -0,0 +1,111 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { SecurityAuditLogger } from './audit_logger';
+
+
+const createMockConfig = (settings) => {
+  const mockConfig = {
+    get: jest.fn()
+  };
+
+  mockConfig.get.mockImplementation(key => {
+    return settings[key];
+  });
+
+  return mockConfig;
+};
+
+const createMockAuditLogger = () => {
+  return {
+    log: jest.fn()
+  };
+};
+
+describe(`#savedObjectsAuthorizationFailure`, () => {
+  test(`doesn't log anything when xpack.security.audit.enabled is false`, () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': false
+    });
+    const auditLogger = createMockAuditLogger();
+
+    const securityAuditLogger = new SecurityAuditLogger(config, auditLogger);
+    securityAuditLogger.savedObjectsAuthorizationFailure();
+
+    expect(auditLogger.log).toHaveBeenCalledTimes(0);
+  });
+
+  test('logs via auditLogger when xpack.security.audit.enabled is true', () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': true
+    });
+    const auditLogger = createMockAuditLogger();
+    const securityAuditLogger = new SecurityAuditLogger(config, auditLogger);
+    const username = 'foo-user';
+    const action = 'foo-action';
+    const types = [ 'foo-type-1', 'foo-type-2' ];
+    const missing = [`action:saved_objects/${types[0]}/foo-action`, `action:saved_objects/${types[1]}/foo-action`];
+    const args = {
+      'foo': 'bar',
+      'baz': 'quz',
+    };
+
+    securityAuditLogger.savedObjectsAuthorizationFailure(username, action, types, missing, args);
+
+    expect(auditLogger.log).toHaveBeenCalledWith(
+      'saved_objects_authorization_failure',
+      expect.stringContaining(`${username} unauthorized to ${action}`),
+      {
+        username,
+        action,
+        types,
+        missing,
+        args,
+      }
+    );
+  });
+});
+
+describe(`#savedObjectsAuthorizationSuccess`, () => {
+  test(`doesn't log anything when xpack.security.audit.enabled is false`, () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': false
+    });
+    const auditLogger = createMockAuditLogger();
+
+    const securityAuditLogger = new SecurityAuditLogger(config, auditLogger);
+    securityAuditLogger.savedObjectsAuthorizationSuccess();
+
+    expect(auditLogger.log).toHaveBeenCalledTimes(0);
+  });
+
+  test('logs via auditLogger when xpack.security.audit.enabled is true', () => {
+    const config = createMockConfig({
+      'xpack.security.audit.enabled': true
+    });
+    const auditLogger = createMockAuditLogger();
+    const securityAuditLogger = new SecurityAuditLogger(config, auditLogger);
+    const username = 'foo-user';
+    const action = 'foo-action';
+    const types = [ 'foo-type-1', 'foo-type-2' ];
+    const args = {
+      'foo': 'bar',
+      'baz': 'quz',
+    };
+
+    securityAuditLogger.savedObjectsAuthorizationSuccess(username, action, types, args);
+
+    expect(auditLogger.log).toHaveBeenCalledWith(
+      'saved_objects_authorization_success',
+      expect.stringContaining(`${username} authorized to ${action}`),
+      {
+        username,
+        action,
+        types,
+        args,
+      }
+    );
+  });
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/actions.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/actions.test.js.snap
new file mode 100644
index 00000000000000..d65733feb37d46
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/actions.test.js.snap
@@ -0,0 +1,25 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`#getSavedObjectAction() action of "" throws error 1`] = `"action is required and must be a string"`;
+
+exports[`#getSavedObjectAction() action of {} throws error 1`] = `"action is required and must be a string"`;
+
+exports[`#getSavedObjectAction() action of 1 throws error 1`] = `"action is required and must be a string"`;
+
+exports[`#getSavedObjectAction() action of null throws error 1`] = `"action is required and must be a string"`;
+
+exports[`#getSavedObjectAction() action of true throws error 1`] = `"action is required and must be a string"`;
+
+exports[`#getSavedObjectAction() action of undefined throws error 1`] = `"action is required and must be a string"`;
+
+exports[`#getSavedObjectAction() type of "" throws error 1`] = `"type is required and must be a string"`;
+
+exports[`#getSavedObjectAction() type of {} throws error 1`] = `"type is required and must be a string"`;
+
+exports[`#getSavedObjectAction() type of 1 throws error 1`] = `"type is required and must be a string"`;
+
+exports[`#getSavedObjectAction() type of null throws error 1`] = `"type is required and must be a string"`;
+
+exports[`#getSavedObjectAction() type of true throws error 1`] = `"type is required and must be a string"`;
+
+exports[`#getSavedObjectAction() type of undefined throws error 1`] = `"type is required and must be a string"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
new file mode 100644
index 00000000000000..7609d57b702faf
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/check_privileges.test.js.snap
@@ -0,0 +1,13 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`with a malformed Elasticsearch response throws a validation error when an extra index privilege is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "index" fails because [child "default-index" fails because ["oopsAnExtraPrivilege" is not allowed]]]`;
+
+exports[`with a malformed Elasticsearch response throws a validation error when an extra privilege is present in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "&#x2a;" fails because ["oops-an-unexpected-privilege" is not allowed]]]]`;
+
+exports[`with a malformed Elasticsearch response throws a validation error when index privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "index" fails because [child "default-index" fails because [child "read" fails because ["read" is required]]]]`;
+
+exports[`with a malformed Elasticsearch response throws a validation error when privileges are missing in the response 1`] = `[Error: Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child "application" fails because [child "kibana-our_application" fails because [child "&#x2a;" fails because [child "mock-action:version" fails because ["mock-action:version" is required]]]]]`;
+
+exports[`with index privileges throws error if missing version privilege and has login privilege 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
+
+exports[`with no index privileges throws error if missing version privilege and has login privilege 1`] = `[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`;
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap
new file mode 100644
index 00000000000000..c65b0d2d6ae391
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/init.test.js.snap
@@ -0,0 +1,9 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`deep freezes exposed service 1`] = `"Cannot delete property 'checkPrivilegesWithRequest' of #<Object>"`;
+
+exports[`deep freezes exposed service 2`] = `"Cannot add property foo, object is not extensible"`;
+
+exports[`deep freezes exposed service 3`] = `"Cannot assign to read only property 'login' of object '#<Object>'"`;
+
+exports[`deep freezes exposed service 4`] = `"Cannot assign to read only property 'application' of object '#<Object>'"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.js.snap b/x-pack/plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.js.snap
new file mode 100644
index 00000000000000..5e1e26a9023ae7
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/__snapshots__/validate_es_response.test.js.snap
@@ -0,0 +1,43 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`validateEsPrivilegeResponse fails validation when an action is malformed in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [child \\"action3\\" fails because [\\"action3\\" must be a boolean]]]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when an action is missing in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [child \\"action2\\" fails because [\\"action2\\" is required]]]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when an extra action is present in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"action4\\" is not allowed]]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when an extra application is present in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [\\"otherApplication\\" is not allowed]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when an unexpected resource property is present in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"foo-resource\\" is required]]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when the "application" property is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [\\"application\\" is required]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when the expected resource property is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"foo-resource\\" is required]]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when the requested application is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [\\"foo-application\\" is required]]"`;
+
+exports[`validateEsPrivilegeResponse fails validation when the resource propertry is malformed in the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"application\\" fails because [child \\"foo-application\\" fails because [child \\"foo-resource\\" fails because [\\"foo-resource\\" must be an object]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the create index privilege is malformed 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"create\\" fails because [\\"create\\" must be a boolean]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the create index privilege is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"create\\" fails because [\\"create\\" is required]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the delete index privilege is malformed 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"delete\\" fails because [\\"delete\\" must be a boolean]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the delete index privilege is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"delete\\" fails because [\\"delete\\" is required]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the index privilege response contains an extra privilege 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [\\"foo-permission\\" is not allowed]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the index privilege response returns an extra index 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [\\"anotherIndex\\" is not allowed]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the index property is missing 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [\\"index\\" is required]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the kibana index is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [\\".kibana\\" is required]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the read index privilege is malformed 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"read\\" fails because [\\"read\\" must be a boolean]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the read index privilege is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"read\\" fails because [\\"read\\" is required]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the view_index_metadata index privilege is malformed 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"view_index_metadata\\" fails because [\\"view_index_metadata\\" must be a boolean]]]"`;
+
+exports[`validateEsPrivilegeResponse legacy should fail if the view_index_metadata index privilege is missing from the response 1`] = `"Invalid response received from Elasticsearch has_privilege endpoint. ValidationError: child \\"index\\" fails because [child \\".kibana\\" fails because [child \\"view_index_metadata\\" fails because [\\"view_index_metadata\\" is required]]]"`;
diff --git a/x-pack/plugins/security/server/lib/authorization/actions.js b/x-pack/plugins/security/server/lib/authorization/actions.js
new file mode 100644
index 00000000000000..432698a003cb35
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/actions.js
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import { isString } from 'lodash';
+
+export function actionsFactory(config) {
+  const kibanaVersion = config.get('pkg.version');
+
+  return {
+    getSavedObjectAction(type, action) {
+      if (!type || !isString(type)) {
+        throw new Error('type is required and must be a string');
+      }
+
+      if (!action || !isString(action)) {
+        throw new Error('action is required and must be a string');
+      }
+
+      return `action:saved_objects/${type}/${action}`;
+    },
+    login: `action:login`,
+    version: `version:${kibanaVersion}`,
+  };
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/actions.test.js b/x-pack/plugins/security/server/lib/authorization/actions.test.js
new file mode 100644
index 00000000000000..17834438e17814
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/actions.test.js
@@ -0,0 +1,69 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { actionsFactory } from './actions';
+
+const createMockConfig = (settings = {}) => {
+  const mockConfig = {
+    get: jest.fn()
+  };
+
+  mockConfig.get.mockImplementation(key => settings[key]);
+
+  return mockConfig;
+};
+
+describe('#login', () => {
+  test('returns action:login', () => {
+    const mockConfig = createMockConfig();
+
+    const actions = actionsFactory(mockConfig);
+
+    expect(actions.login).toEqual('action:login');
+  });
+});
+
+describe('#version', () => {
+  test(`returns version:\${config.get('pkg.version')}`, () => {
+    const version = 'mock-version';
+    const mockConfig = createMockConfig({ 'pkg.version': version });
+
+    const actions = actionsFactory(mockConfig);
+
+    expect(actions.version).toEqual(`version:${version}`);
+  });
+});
+
+describe('#getSavedObjectAction()', () => {
+  test('uses type and action to build action', () => {
+    const mockConfig = createMockConfig();
+    const actions = actionsFactory(mockConfig);
+    const type = 'saved-object-type';
+    const action = 'saved-object-action';
+
+    const result = actions.getSavedObjectAction(type, action);
+
+    expect(result).toEqual(`action:saved_objects/${type}/${action}`);
+  });
+
+  [null, undefined, '', 1, true, {}].forEach(type => {
+    test(`type of ${JSON.stringify(type)} throws error`, () => {
+      const mockConfig = createMockConfig();
+      const actions = actionsFactory(mockConfig);
+
+      expect(() => actions.getSavedObjectAction(type, 'saved-object-action')).toThrowErrorMatchingSnapshot();
+    });
+  });
+
+  [null, undefined, '', 1, true, {}].forEach(action => {
+    test(`action of ${JSON.stringify(action)} throws error`, () => {
+      const mockConfig = createMockConfig();
+      const actions = actionsFactory(mockConfig);
+
+      expect(() => actions.getSavedObjectAction('saved-object-type', action)).toThrowErrorMatchingSnapshot();
+    });
+  });
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
new file mode 100644
index 00000000000000..b12658708f2d37
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.js
@@ -0,0 +1,97 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { uniq } from 'lodash';
+import { ALL_RESOURCE } from '../../../common/constants';
+import { buildLegacyIndexPrivileges } from './privileges';
+import { validateEsPrivilegeResponse } from './validate_es_response';
+
+export const CHECK_PRIVILEGES_RESULT = {
+  UNAUTHORIZED: Symbol('Unauthorized'),
+  AUTHORIZED: Symbol('Authorized'),
+  LEGACY: Symbol('Legacy'),
+};
+
+export function checkPrivilegesWithRequestFactory(shieldClient, config, actions, application) {
+  const { callWithRequest } = shieldClient;
+
+  const kibanaIndex = config.get('kibana.index');
+
+  const hasIncompatibileVersion = (applicationPrivilegesResponse) => {
+    return !applicationPrivilegesResponse[actions.version] && applicationPrivilegesResponse[actions.login];
+  };
+
+  const hasAllApplicationPrivileges = (applicationPrivilegesResponse) => {
+    return Object.values(applicationPrivilegesResponse).every(val => val === true);
+  };
+
+  const hasNoApplicationPrivileges = (applicationPrivilegesResponse) => {
+    return Object.values(applicationPrivilegesResponse).every(val => val === false);
+  };
+
+  const isLegacyFallbackEnabled = () => {
+    return config.get('xpack.security.authorization.legacyFallback.enabled');
+  };
+
+  const hasLegacyPrivileges = (indexPrivilegesResponse) => {
+    return Object.values(indexPrivilegesResponse).includes(true);
+  };
+
+  const determineResult = (applicationPrivilegesResponse, indexPrivilegesResponse) => {
+    if (hasAllApplicationPrivileges(applicationPrivilegesResponse)) {
+      return CHECK_PRIVILEGES_RESULT.AUTHORIZED;
+    }
+
+    if (
+      isLegacyFallbackEnabled() &&
+      hasNoApplicationPrivileges(applicationPrivilegesResponse) &&
+      hasLegacyPrivileges(indexPrivilegesResponse)
+    ) {
+      return CHECK_PRIVILEGES_RESULT.LEGACY;
+    }
+
+    return CHECK_PRIVILEGES_RESULT.UNAUTHORIZED;
+  };
+
+  return function checkPrivilegesWithRequest(request) {
+
+    return async function checkPrivileges(privileges) {
+      const allApplicationPrivileges = uniq([actions.version, actions.login, ...privileges]);
+      const hasPrivilegesResponse = await callWithRequest(request, 'shield.hasPrivileges', {
+        body: {
+          applications: [{
+            application,
+            resources: [ALL_RESOURCE],
+            privileges: allApplicationPrivileges
+          }],
+          index: [{
+            names: [kibanaIndex],
+            privileges: buildLegacyIndexPrivileges()
+          }],
+        }
+      });
+
+      validateEsPrivilegeResponse(hasPrivilegesResponse, application, allApplicationPrivileges, [ALL_RESOURCE], kibanaIndex);
+
+      const applicationPrivilegesResponse = hasPrivilegesResponse.application[application][ALL_RESOURCE];
+      const indexPrivilegesResponse = hasPrivilegesResponse.index[kibanaIndex];
+
+      if (hasIncompatibileVersion(applicationPrivilegesResponse)) {
+        throw new Error('Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.');
+      }
+
+      return {
+        result: determineResult(applicationPrivilegesResponse, indexPrivilegesResponse),
+        username: hasPrivilegesResponse.username,
+
+        // we only return missing privileges that they're specifically checking for
+        missing: Object.keys(applicationPrivilegesResponse)
+          .filter(privilege => privileges.includes(privilege))
+          .filter(privilege => !applicationPrivilegesResponse[privilege])
+      };
+    };
+  };
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
new file mode 100644
index 00000000000000..510ec3e4852b72
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/check_privileges.test.js
@@ -0,0 +1,470 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { uniq } from 'lodash';
+import { checkPrivilegesWithRequestFactory, CHECK_PRIVILEGES_RESULT } from './check_privileges';
+
+import { ALL_RESOURCE } from '../../../common/constants';
+
+const application = 'kibana-our_application';
+const defaultVersion = 'default-version';
+const defaultKibanaIndex = 'default-index';
+const savedObjectTypes = ['foo-type', 'bar-type'];
+
+const mockActions = {
+  login: 'mock-action:login',
+  version: 'mock-action:version',
+};
+
+const createMockConfig = (settings = {}) => {
+  const mockConfig = {
+    get: jest.fn()
+  };
+
+  const defaultSettings = {
+    'pkg.version': defaultVersion,
+    'kibana.index': defaultKibanaIndex,
+    'xpack.security.authorization.legacyFallback.enabled': true,
+  };
+
+  mockConfig.get.mockImplementation(key => {
+    return key in settings ? settings[key] : defaultSettings[key];
+  });
+
+  return mockConfig;
+};
+
+const createMockShieldClient = (response) => {
+  const mockCallWithRequest = jest.fn();
+
+  mockCallWithRequest.mockImplementationOnce(async () => response);
+
+  return {
+    callWithRequest: mockCallWithRequest,
+  };
+};
+
+const checkPrivilegesTest = (
+  description, {
+    settings,
+    privileges,
+    applicationPrivilegesResponse,
+    indexPrivilegesResponse,
+    expectedResult,
+    expectErrorThrown,
+  }) => {
+
+  test(description, async () => {
+    const username = 'foo-username';
+    const mockConfig = createMockConfig(settings);
+    const mockShieldClient = createMockShieldClient({
+      username,
+      application: {
+        [application]: {
+          [ALL_RESOURCE]: applicationPrivilegesResponse
+        }
+      },
+      index: {
+        [defaultKibanaIndex]: indexPrivilegesResponse
+      },
+    });
+
+    const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(mockShieldClient, mockConfig, mockActions, application);
+    const request = Symbol();
+    const checkPrivileges = checkPrivilegesWithRequest(request);
+
+    let actualResult;
+    let errorThrown = null;
+    try {
+      actualResult = await checkPrivileges(privileges);
+    } catch (err) {
+      errorThrown = err;
+    }
+
+
+    expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.hasPrivileges', {
+      body: {
+        applications: [{
+          application,
+          resources: [ALL_RESOURCE],
+          privileges: uniq([
+            mockActions.version, mockActions.login, ...privileges
+          ])
+        }],
+        index: [{
+          names: [defaultKibanaIndex],
+          privileges: ['create', 'delete', 'read', 'view_index_metadata']
+        }],
+      }
+    });
+
+    if (expectedResult) {
+      expect(errorThrown).toBeNull();
+      expect(actualResult).toEqual(expectedResult);
+    }
+
+    if (expectErrorThrown) {
+      expect(errorThrown).toMatchSnapshot();
+    }
+  });
+};
+
+describe(`with no index privileges`, () => {
+  const indexPrivilegesResponse = {
+    create: false,
+    delete: false,
+    read: false,
+    view_index_metadata: false,
+  };
+
+  checkPrivilegesTest('returns authorized if they have all application privileges', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+      username: 'foo-username',
+      missing: [],
+    }
+  });
+
+  checkPrivilegesTest('returns unauthorized and missing application action when checking missing application action', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`,
+      `action:saved_objects/${savedObjectTypes[0]}/create`,
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/create`]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username: 'foo-username',
+      missing: [`action:saved_objects/${savedObjectTypes[0]}/create`],
+    }
+  });
+
+  checkPrivilegesTest('returns unauthorized and missing login when checking missing login action', {
+    username: 'foo-username',
+    privileges: [
+      mockActions.login
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: false,
+      [mockActions.version]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username: 'foo-username',
+      missing: [mockActions.login],
+    }
+  });
+
+  checkPrivilegesTest('returns unauthorized and missing version if checking missing version action', {
+    username: 'foo-username',
+    privileges: [
+      mockActions.version
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: false,
+      [mockActions.version]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username: 'foo-username',
+      missing: [mockActions.version],
+    }
+  });
+
+  checkPrivilegesTest('throws error if missing version privilege and has login privilege', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: true,
+      [mockActions.version]: false,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse,
+    expectErrorThrown: true
+  });
+});
+
+describe(`with index privileges`, () => {
+  const indexPrivilegesResponse = {
+    create: true,
+    delete: true,
+    read: true,
+    view_index_metadata: true,
+  };
+
+  checkPrivilegesTest('returns authorized if they have all application privileges', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+      username: 'foo-username',
+      missing: [],
+    }
+  });
+
+  checkPrivilegesTest('returns unauthorized and missing application action when checking missing application action', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`,
+      `action:saved_objects/${savedObjectTypes[0]}/create`,
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/create`]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username: 'foo-username',
+      missing: [`action:saved_objects/${savedObjectTypes[0]}/create`],
+    }
+  });
+
+  checkPrivilegesTest('returns legacy and missing login when checking missing login action and fallback is enabled', {
+    username: 'foo-username',
+    privileges: [
+      mockActions.login
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: false,
+      [mockActions.version]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
+      username: 'foo-username',
+      missing: [mockActions.login],
+    }
+  });
+
+  checkPrivilegesTest('returns unauthorized and missing login when checking missing login action and fallback is disabled', {
+    settings: {
+      'xpack.security.authorization.legacyFallback.enabled': false,
+    },
+    username: 'foo-username',
+    privileges: [
+      mockActions.login
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: false,
+      [mockActions.version]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username: 'foo-username',
+      missing: [mockActions.login],
+    }
+  });
+
+  checkPrivilegesTest('returns legacy and missing version if checking missing version action and fallback is enabled', {
+    username: 'foo-username',
+    privileges: [
+      mockActions.version
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: false,
+      [mockActions.version]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
+      username: 'foo-username',
+      missing: [mockActions.version],
+    }
+  });
+
+  checkPrivilegesTest('returns unauthorized and missing version if checking missing version action and fallback is disabled', {
+    settings: {
+      'xpack.security.authorization.legacyFallback.enabled': false,
+    },
+    username: 'foo-username',
+    privileges: [
+      mockActions.version
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: false,
+      [mockActions.version]: false,
+    },
+    indexPrivilegesResponse,
+    expectedResult: {
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username: 'foo-username',
+      missing: [mockActions.version],
+    }
+  });
+
+  checkPrivilegesTest('throws error if missing version privilege and has login privilege', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.login]: true,
+      [mockActions.version]: false,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse,
+    expectErrorThrown: true
+  });
+});
+
+describe('with no application privileges', () => {
+  ['create', 'delete', 'read', 'view_index_metadata'].forEach(indexPrivilege => {
+    checkPrivilegesTest(`returns legacy if they have ${indexPrivilege} privilege on the kibana index and fallback is enabled`, {
+      username: 'foo-username',
+      privileges: [
+        `action:saved_objects/${savedObjectTypes[0]}/get`
+      ],
+      applicationPrivilegesResponse: {
+        [mockActions.version]: false,
+        [mockActions.login]: false,
+        [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+      },
+      indexPrivilegesResponse: {
+        create: false,
+        delete: false,
+        read: false,
+        view_index_metadata: false,
+        [indexPrivilege]: true
+      },
+      expectedResult: {
+        result: CHECK_PRIVILEGES_RESULT.LEGACY,
+        username: 'foo-username',
+        missing: [`action:saved_objects/${savedObjectTypes[0]}/get`],
+      }
+    });
+
+    checkPrivilegesTest(`returns unauthorized if they have ${indexPrivilege} privilege on the kibana index and fallback is disabled`, {
+      settings: {
+        'xpack.security.authorization.legacyFallback.enabled': false,
+      },
+      username: 'foo-username',
+      privileges: [
+        `action:saved_objects/${savedObjectTypes[0]}/get`
+      ],
+      applicationPrivilegesResponse: {
+        [mockActions.version]: false,
+        [mockActions.login]: false,
+        [`action:saved_objects/${savedObjectTypes[0]}/get`]: false,
+      },
+      indexPrivilegesResponse: {
+        create: false,
+        delete: false,
+        read: false,
+        view_index_metadata: false,
+        [indexPrivilege]: true
+      },
+      expectedResult: {
+        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+        username: 'foo-username',
+        missing: [`action:saved_objects/${savedObjectTypes[0]}/get`],
+      }
+    });
+  });
+});
+
+describe('with a malformed Elasticsearch response', () => {
+  const indexPrivilegesResponse = {
+    create: true,
+    delete: true,
+    read: true,
+    view_index_metadata: true,
+  };
+
+  checkPrivilegesTest('throws a validation error when an extra privilege is present in the response', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`,
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+      ['oops-an-unexpected-privilege']: true,
+    },
+    indexPrivilegesResponse,
+    expectErrorThrown: true,
+  });
+
+  checkPrivilegesTest('throws a validation error when privileges are missing in the response', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`,
+    ],
+    applicationPrivilegesResponse: {
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse,
+    expectErrorThrown: true,
+  });
+
+  checkPrivilegesTest('throws a validation error when an extra index privilege is present in the response', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`,
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse: {
+      ...indexPrivilegesResponse,
+      oopsAnExtraPrivilege: true,
+    },
+    expectErrorThrown: true,
+  });
+
+  const missingIndexPrivileges = {
+    ...indexPrivilegesResponse
+  };
+  delete missingIndexPrivileges.read;
+
+  checkPrivilegesTest('throws a validation error when index privileges are missing in the response', {
+    username: 'foo-username',
+    privileges: [
+      `action:saved_objects/${savedObjectTypes[0]}/get`,
+    ],
+    applicationPrivilegesResponse: {
+      [mockActions.version]: true,
+      [mockActions.login]: true,
+      [`action:saved_objects/${savedObjectTypes[0]}/get`]: true,
+    },
+    indexPrivilegesResponse: missingIndexPrivileges,
+    expectErrorThrown: true,
+  });
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/deep_freeze.js b/x-pack/plugins/security/server/lib/authorization/deep_freeze.js
new file mode 100644
index 00000000000000..0f9363cb410f6c
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/deep_freeze.js
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { isObject } from 'lodash';
+
+export function deepFreeze(object) {
+  // for any properties that reference an object, makes sure that object is
+  // recursively frozen as well
+  Object.keys(object).forEach(key => {
+    const value = object[key];
+    if (isObject(value)) {
+      deepFreeze(value);
+    }
+  });
+
+  return Object.freeze(object);
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/deep_freeze.test.js b/x-pack/plugins/security/server/lib/authorization/deep_freeze.test.js
new file mode 100644
index 00000000000000..dd227fa6269bff
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/deep_freeze.test.js
@@ -0,0 +1,97 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { deepFreeze } from './deep_freeze';
+
+test(`freezes result and input`, () => {
+  const input = {};
+  const result = deepFreeze(input);
+
+  Object.isFrozen(input);
+  Object.isFrozen(result);
+});
+
+test(`freezes top-level properties that are objects`, () => {
+  const result = deepFreeze({
+    object: {},
+    array: [],
+    fn: () => {},
+    number: 1,
+    string: '',
+  });
+
+  Object.isFrozen(result.object);
+  Object.isFrozen(result.array);
+  Object.isFrozen(result.fn);
+  Object.isFrozen(result.number);
+  Object.isFrozen(result.string);
+});
+
+test(`freezes child properties that are objects`, () => {
+  const result = deepFreeze({
+    object: {
+      object: {
+      },
+      array: [],
+      fn: () => {},
+      number: 1,
+      string: '',
+    },
+    array: [
+      {},
+      [],
+      () => {},
+      1,
+      '',
+    ],
+  });
+
+  Object.isFrozen(result.object.object);
+  Object.isFrozen(result.object.array);
+  Object.isFrozen(result.object.fn);
+  Object.isFrozen(result.object.number);
+  Object.isFrozen(result.object.string);
+  Object.isFrozen(result.array[0]);
+  Object.isFrozen(result.array[1]);
+  Object.isFrozen(result.array[2]);
+  Object.isFrozen(result.array[3]);
+  Object.isFrozen(result.array[4]);
+});
+
+test(`freezes grand-child properties that are objects`, () => {
+  const result = deepFreeze({
+    object: {
+      object: {
+        object: {
+        },
+        array: [],
+        fn: () => {},
+        number: 1,
+        string: '',
+      },
+    },
+    array: [
+      [
+        {},
+        [],
+        () => {},
+        1,
+        '',
+      ],
+    ],
+  });
+
+  Object.isFrozen(result.object.object.object);
+  Object.isFrozen(result.object.object.array);
+  Object.isFrozen(result.object.object.fn);
+  Object.isFrozen(result.object.object.number);
+  Object.isFrozen(result.object.object.string);
+  Object.isFrozen(result.array[0][0]);
+  Object.isFrozen(result.array[0][1]);
+  Object.isFrozen(result.array[0][2]);
+  Object.isFrozen(result.array[0][3]);
+  Object.isFrozen(result.array[0][4]);
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/index.js b/x-pack/plugins/security/server/lib/authorization/index.js
new file mode 100644
index 00000000000000..e0029a3caeafd1
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/index.js
@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { CHECK_PRIVILEGES_RESULT } from './check_privileges';
+export { registerPrivilegesWithCluster } from './register_privileges_with_cluster';
+export { buildPrivilegeMap } from './privileges';
+export { initAuthorizationService } from './init';
diff --git a/x-pack/plugins/security/server/lib/authorization/init.js b/x-pack/plugins/security/server/lib/authorization/init.js
new file mode 100644
index 00000000000000..f99bf6d25d26fe
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/init.js
@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { actionsFactory } from './actions';
+import { checkPrivilegesWithRequestFactory } from './check_privileges';
+import { deepFreeze } from './deep_freeze';
+import { getClient } from '../../../../../server/lib/get_client_shield';
+
+export function initAuthorizationService(server) {
+  const shieldClient = getClient(server);
+  const config = server.config();
+
+  const actions = actionsFactory(config);
+  const application = `kibana-${config.get('kibana.index')}`;
+
+  server.expose('authorization', deepFreeze({
+    actions,
+    application,
+    checkPrivilegesWithRequest: checkPrivilegesWithRequestFactory(shieldClient, config, actions, application),
+  }));
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/init.test.js b/x-pack/plugins/security/server/lib/authorization/init.test.js
new file mode 100644
index 00000000000000..d70e08934c131f
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/init.test.js
@@ -0,0 +1,83 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { initAuthorizationService } from './init';
+import { actionsFactory } from './actions';
+import { checkPrivilegesWithRequestFactory } from './check_privileges';
+import { getClient } from '../../../../../server/lib/get_client_shield';
+
+jest.mock('./check_privileges', () => ({
+  checkPrivilegesWithRequestFactory: jest.fn(),
+}));
+
+jest.mock('../../../../../server/lib/get_client_shield', () => ({
+  getClient: jest.fn(),
+}));
+
+jest.mock('./actions', () => ({
+  actionsFactory: jest.fn(),
+}));
+
+const createMockConfig = (settings = {}) => {
+  const mockConfig = {
+    get: jest.fn()
+  };
+
+  mockConfig.get.mockImplementation(key => settings[key]);
+
+  return mockConfig;
+};
+
+test(`calls server.expose with exposed services`, () => {
+  const kibanaIndex = '.a-kibana-index';
+  const mockConfig = createMockConfig({
+    'kibana.index': kibanaIndex
+  });
+  const mockServer = {
+    expose: jest.fn(),
+    config: jest.fn().mockReturnValue(mockConfig)
+  };
+  const mockShieldClient = Symbol();
+  getClient.mockReturnValue(mockShieldClient);
+  const mockCheckPrivilegesWithRequest = Symbol();
+  checkPrivilegesWithRequestFactory.mockReturnValue(mockCheckPrivilegesWithRequest);
+  const mockActions = Symbol();
+  actionsFactory.mockReturnValue(mockActions);
+  mockConfig.get.mock;
+
+  initAuthorizationService(mockServer);
+
+  const application = `kibana-${kibanaIndex}`;
+  expect(getClient).toHaveBeenCalledWith(mockServer);
+  expect(actionsFactory).toHaveBeenCalledWith(mockConfig);
+  expect(checkPrivilegesWithRequestFactory).toHaveBeenCalledWith(mockShieldClient, mockConfig, mockActions, application);
+  expect(mockServer.expose).toHaveBeenCalledWith('authorization', {
+    actions: mockActions,
+    application,
+    checkPrivilegesWithRequest: mockCheckPrivilegesWithRequest,
+  });
+});
+
+test(`deep freezes exposed service`, () => {
+  const mockConfig = createMockConfig({
+    'kibana.index': ''
+  });
+  const mockServer = {
+    expose: jest.fn(),
+    config: jest.fn().mockReturnValue(mockConfig)
+  };
+  actionsFactory.mockReturnValue({
+    login: 'login',
+  });
+
+  initAuthorizationService(mockServer);
+
+  const exposed = mockServer.expose.mock.calls[0][1];
+  expect(() => delete exposed.checkPrivilegesWithRequest).toThrowErrorMatchingSnapshot();
+  expect(() => exposed.foo = 'bar').toThrowErrorMatchingSnapshot();
+  expect(() => exposed.actions.login = 'not-login').toThrowErrorMatchingSnapshot();
+  expect(() => exposed.application = 'changed').toThrowErrorMatchingSnapshot();
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/privileges.js b/x-pack/plugins/security/server/lib/authorization/privileges.js
new file mode 100644
index 00000000000000..6f64871ed75566
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/privileges.js
@@ -0,0 +1,34 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export function buildPrivilegeMap(savedObjectTypes, application, actions) {
+  const buildSavedObjectsActions = (savedObjectActions) => {
+    return savedObjectTypes
+      .map(type => savedObjectActions.map(savedObjectAction => actions.getSavedObjectAction(type, savedObjectAction)))
+      .reduce((acc, types) => [...acc, ...types], []);
+  };
+
+  // the following list of privileges should only be added to, you can safely remove actions, but not privileges as
+  // it's a backwards compatibility issue and we'll have to at least adjust registerPrivilegesWithCluster to support it
+  return {
+    all: {
+      application,
+      name: 'all',
+      actions: [actions.version, 'action:*'],
+      metadata: {}
+    },
+    read: {
+      application,
+      name: 'read',
+      actions: [actions.version, actions.login, ...buildSavedObjectsActions(['get', 'bulk_get', 'find'])],
+      metadata: {}
+    }
+  };
+}
+
+export function buildLegacyIndexPrivileges() {
+  return ['create', 'delete', 'read', 'view_index_metadata'];
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js
new file mode 100644
index 00000000000000..826cdab4b42040
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.js
@@ -0,0 +1,58 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { difference, isEmpty, isEqual } from 'lodash';
+import { buildPrivilegeMap } from './privileges';
+import { getClient } from '../../../../../server/lib/get_client_shield';
+
+export async function registerPrivilegesWithCluster(server) {
+
+  const { authorization } = server.plugins.security;
+  const { types: savedObjectTypes } = server.savedObjects;
+  const { actions, application } = authorization;
+
+  const shouldRemovePrivileges = (existingPrivileges, expectedPrivileges) => {
+    if (isEmpty(existingPrivileges)) {
+      return false;
+    }
+
+    return difference(Object.keys(existingPrivileges[application]), Object.keys(expectedPrivileges[application])).length > 0;
+  };
+
+  const expectedPrivileges = {
+    [application]: buildPrivilegeMap(savedObjectTypes, application, actions)
+  };
+
+  server.log(['security', 'debug'], `Registering Kibana Privileges with Elasticsearch for ${application}`);
+
+  const callCluster = getClient(server).callWithInternalUser;
+
+  try {
+    // we only want to post the privileges when they're going to change as Elasticsearch has
+    // to clear the role cache to get these changes reflected in the _has_privileges API
+    const existingPrivileges = await callCluster(`shield.getPrivilege`, { privilege: application });
+    if (isEqual(existingPrivileges, expectedPrivileges)) {
+      server.log(['security', 'debug'], `Kibana Privileges already registered with Elasticearch for ${application}`);
+      return;
+    }
+
+    // The ES privileges POST endpoint only allows us to add new privileges, or update specified privileges; it doesn't
+    // remove unspecified privileges. We don't currently have a need to remove privileges, as this would be a
+    // backwards compatibility issue, and we'd have to figure out how to migrate roles, so we're throwing an Error if we
+    // unintentionally get ourselves in this position.
+    if (shouldRemovePrivileges(existingPrivileges, expectedPrivileges)) {
+      throw new Error(`Privileges are missing and can't be removed, currently.`);
+    }
+
+    server.log(['security', 'debug'], `Updated Kibana Privileges with Elasticearch for ${application}`);
+    await callCluster('shield.postPrivileges', {
+      body: expectedPrivileges
+    });
+  } catch (err) {
+    server.log(['security', 'error'], `Error registering Kibana Privileges with Elasticsearch for ${application}: ${err.message}`);
+    throw err;
+  }
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js
new file mode 100644
index 00000000000000..f326d85fdeee3f
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/register_privileges_with_cluster.test.js
@@ -0,0 +1,353 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { registerPrivilegesWithCluster } from './register_privileges_with_cluster';
+import { getClient } from '../../../../../server/lib/get_client_shield';
+import { buildPrivilegeMap } from './privileges';
+jest.mock('../../../../../server/lib/get_client_shield', () => ({
+  getClient: jest.fn(),
+}));
+jest.mock('./privileges', () => ({
+  buildPrivilegeMap: jest.fn(),
+}));
+
+const registerPrivilegesWithClusterTest = (description, {
+  settings = {},
+  savedObjectTypes,
+  expectedPrivileges,
+  existingPrivileges,
+  throwErrorWhenGettingPrivileges,
+  throwErrorWhenPuttingPrivileges,
+  assert
+}) => {
+  const registerMockCallWithInternalUser = () => {
+    const callWithInternalUser = jest.fn();
+    getClient.mockReturnValue({
+      callWithInternalUser,
+    });
+    return callWithInternalUser;
+  };
+
+  const defaultVersion = 'default-version';
+  const application = 'default-application';
+
+  const createMockServer = () => {
+    const mockServer = {
+      config: jest.fn().mockReturnValue({
+        get: jest.fn(),
+      }),
+      log: jest.fn(),
+      plugins: {
+        security: {
+          authorization: {
+            actions: Symbol(),
+            application
+          }
+        }
+      }
+    };
+
+    const defaultSettings = {
+      'pkg.version': defaultVersion,
+    };
+
+    mockServer.config().get.mockImplementation(key => {
+      return key in settings ? settings[key] : defaultSettings[key];
+    });
+
+    mockServer.savedObjects = {
+      types: savedObjectTypes
+    };
+
+    return mockServer;
+  };
+
+  const createExpectUpdatedPrivileges = (mockServer, mockCallWithInternalUser, privileges, error) => {
+    return () => {
+      expect(error).toBeUndefined();
+      expect(mockCallWithInternalUser).toHaveBeenCalledTimes(2);
+      expect(mockCallWithInternalUser).toHaveBeenCalledWith('shield.getPrivilege', {
+        privilege: application,
+      });
+      expect(mockCallWithInternalUser).toHaveBeenCalledWith(
+        'shield.postPrivileges',
+        {
+          body: {
+            [application]: privileges
+          },
+        }
+      );
+
+      expect(mockServer.log).toHaveBeenCalledWith(
+        ['security', 'debug'],
+        `Registering Kibana Privileges with Elasticsearch for ${application}`
+      );
+      expect(mockServer.log).toHaveBeenCalledWith(
+        ['security', 'debug'],
+        `Updated Kibana Privileges with Elasticearch for ${application}`
+      );
+    };
+  };
+
+  const createExpectDidntUpdatePrivileges = (mockServer, mockCallWithInternalUser, error) => {
+    return () => {
+      expect(error).toBeUndefined();
+      expect(mockCallWithInternalUser).toHaveBeenCalledTimes(1);
+      expect(mockCallWithInternalUser).toHaveBeenLastCalledWith('shield.getPrivilege', {
+        privilege: application
+      });
+
+      expect(mockServer.log).toHaveBeenCalledWith(
+        ['security', 'debug'],
+        `Registering Kibana Privileges with Elasticsearch for ${application}`
+      );
+      expect(mockServer.log).toHaveBeenCalledWith(
+        ['security', 'debug'],
+        `Kibana Privileges already registered with Elasticearch for ${application}`
+      );
+    };
+  };
+
+  const createExpectErrorThrown = (mockServer, actualError) => {
+    return (expectedErrorMessage) => {
+      expect(actualError).toBeDefined();
+      expect(actualError).toBeInstanceOf(Error);
+      expect(actualError.message).toEqual(expectedErrorMessage);
+
+      expect(mockServer.log).toHaveBeenCalledWith(
+        ['security', 'error'],
+        `Error registering Kibana Privileges with Elasticsearch for ${application}: ${expectedErrorMessage}`
+      );
+    };
+  };
+
+  test(description, async () => {
+    const mockServer = createMockServer();
+    const mockCallWithInternalUser = registerMockCallWithInternalUser()
+      .mockImplementationOnce(async () => {
+        if (throwErrorWhenGettingPrivileges) {
+          throw throwErrorWhenGettingPrivileges;
+        }
+
+        // ES returns an empty object if we don't have any privileges
+        if (!existingPrivileges) {
+          return {};
+        }
+
+        return {
+          [application]: existingPrivileges
+        };
+      })
+      .mockImplementationOnce(async () => {
+        if (throwErrorWhenPuttingPrivileges) {
+          throw throwErrorWhenPuttingPrivileges;
+        }
+      });
+
+    buildPrivilegeMap.mockReturnValue(expectedPrivileges);
+
+    let error;
+    try {
+      await registerPrivilegesWithCluster(mockServer);
+    } catch (err) {
+      error = err;
+    }
+
+    assert({
+      expectUpdatedPrivileges: createExpectUpdatedPrivileges(mockServer, mockCallWithInternalUser, expectedPrivileges, error),
+      expectDidntUpdatePrivileges: createExpectDidntUpdatePrivileges(mockServer, mockCallWithInternalUser, error),
+      expectErrorThrown: createExpectErrorThrown(mockServer, error),
+      mocks: {
+        buildPrivilegeMap,
+        server: mockServer,
+      }
+    });
+  });
+};
+
+registerPrivilegesWithClusterTest(`passes saved object types, application and actions to buildPrivilegeMap`, {
+  settings: {
+    'pkg.version': 'foo-version'
+  },
+  savedObjectTypes: [
+    'foo-type',
+    'bar-type',
+  ],
+  assert: ({ mocks }) => {
+    expect(mocks.buildPrivilegeMap).toHaveBeenCalledWith(
+      ['foo-type', 'bar-type'],
+      mocks.server.plugins.security.authorization.application,
+      mocks.server.plugins.security.authorization.actions,
+    );
+  },
+});
+
+registerPrivilegesWithClusterTest(`inserts privileges when we don't have any existing privileges`, {
+  expectedPrivileges: {
+    expected: true
+  },
+  existingPrivileges: null,
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`updates privileges when simple top-level privileges values don't match`, {
+  expectedPrivileges: {
+    expected: true
+  },
+  existingPrivileges: {
+    expected: false
+  },
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`throws error when we have two different top-level privileges`, {
+  expectedPrivileges: {
+    notExpected: true
+  },
+  existingPrivileges: {
+    expected: true
+  },
+  assert: ({ expectErrorThrown }) => {
+    expectErrorThrown(`Privileges are missing and can't be removed, currently.`);
+  }
+});
+
+registerPrivilegesWithClusterTest(`updates privileges when we want to add a top-level privilege`, {
+  expectedPrivileges: {
+    expected: true,
+    new: false,
+  },
+  existingPrivileges: {
+    expected: true,
+  },
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`updates privileges when nested privileges values don't match`, {
+  expectedPrivileges: {
+    kibana: {
+      expected: true
+    }
+  },
+  existingPrivileges: {
+    kibana: {
+      expected: false
+    }
+  },
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`updates privileges when we have two different nested privileges`, {
+  expectedPrivileges: {
+    kibana: {
+      notExpected: true
+    }
+  },
+  existingPrivileges: {
+    kibana: {
+      expected: false
+    }
+  },
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`updates privileges when nested privileges arrays don't match`, {
+  expectedPrivileges: {
+    kibana: {
+      expected: ['one', 'two']
+    }
+  },
+  existingPrivileges: {
+    kibana: {
+      expected: ['one']
+    }
+  },
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`updates privileges when nested property array values are reordered`, {
+  expectedPrivileges: {
+    kibana: {
+      foo: ['one', 'two']
+    }
+  },
+  existingPrivileges: {
+    kibana: {
+      foo: ['two', 'one']
+    }
+  },
+  assert: ({ expectUpdatedPrivileges }) => {
+    expectUpdatedPrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`doesn't update privileges when simple top-level privileges match`, {
+  expectedPrivileges: {
+    expected: true
+  },
+  existingPrivileges: {
+    expected: true
+  },
+  assert: ({ expectDidntUpdatePrivileges }) => {
+    expectDidntUpdatePrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`doesn't update privileges when nested properties are reordered`, {
+  expectedPrivileges: {
+    kibana: {
+      foo: true,
+      bar: false
+    }
+  },
+  existingPrivileges: {
+    kibana: {
+      bar: false,
+      foo: true
+    }
+  },
+  assert: ({ expectDidntUpdatePrivileges }) => {
+    expectDidntUpdatePrivileges();
+  }
+});
+
+registerPrivilegesWithClusterTest(`throws and logs error when errors getting privileges`, {
+  throwErrorWhenGettingPrivileges: new Error('Error getting privileges'),
+  assert: ({ expectErrorThrown }) => {
+    expectErrorThrown('Error getting privileges');
+  }
+});
+
+registerPrivilegesWithClusterTest(`throws and logs error when errors putting privileges`, {
+  expectedPrivileges: {
+    kibana: {
+      foo: false,
+      bar: false
+    }
+  },
+  existingPrivileges: {
+    kibana: {
+      foo: true,
+      bar: true
+    }
+  },
+  throwErrorWhenPuttingPrivileges: new Error('Error putting privileges'),
+  assert: ({ expectErrorThrown }) => {
+    expectErrorThrown('Error putting privileges');
+  }
+});
diff --git a/x-pack/plugins/security/server/lib/authorization/validate_es_response.js b/x-pack/plugins/security/server/lib/authorization/validate_es_response.js
new file mode 100644
index 00000000000000..34d618398bc3d3
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/validate_es_response.js
@@ -0,0 +1,65 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Joi from 'joi';
+import { buildLegacyIndexPrivileges } from './privileges';
+
+const legacyIndexPrivilegesSchema = Joi.object({
+  ...buildLegacyIndexPrivileges().reduce((acc, privilege) => {
+    return {
+      ...acc,
+      [privilege]: Joi.bool().required()
+    };
+  }, {})
+}).required();
+
+export function validateEsPrivilegeResponse(response, application, actions, resources, kibanaIndex) {
+  const schema = buildValidationSchema(application, actions, resources, kibanaIndex);
+  const { error, value } = schema.validate(response);
+
+  if (error) {
+    throw new Error(`Invalid response received from Elasticsearch has_privilege endpoint. ${error}`);
+  }
+
+  return value;
+}
+
+function buildActionsValidationSchema(actions) {
+  return Joi.object({
+    ...actions.reduce((acc, action) => {
+      return {
+        ...acc,
+        [action]: Joi.bool().required()
+      };
+    }, {})
+  }).required();
+}
+
+function buildValidationSchema(application, actions, resources, kibanaIndex) {
+
+  const actionValidationSchema = buildActionsValidationSchema(actions);
+
+  const resourceValidationSchema = Joi.object({
+    ...resources.reduce((acc, resource) => {
+      return {
+        ...acc,
+        [resource]: actionValidationSchema
+      };
+    }, {})
+  }).required();
+
+  return Joi.object({
+    username: Joi.string().required(),
+    has_all_requested: Joi.bool(),
+    cluster: Joi.object(),
+    application: Joi.object({
+      [application]: resourceValidationSchema,
+    }).required(),
+    index: Joi.object({
+      [kibanaIndex]: legacyIndexPrivilegesSchema
+    }).required()
+  }).required();
+}
diff --git a/x-pack/plugins/security/server/lib/authorization/validate_es_response.test.js b/x-pack/plugins/security/server/lib/authorization/validate_es_response.test.js
new file mode 100644
index 00000000000000..f3dbad1b56ac95
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/authorization/validate_es_response.test.js
@@ -0,0 +1,357 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { validateEsPrivilegeResponse } from "./validate_es_response";
+import { buildLegacyIndexPrivileges } from "./privileges";
+
+const resource = 'foo-resource';
+const application = 'foo-application';
+const kibanaIndex = '.kibana';
+
+const commonResponse = {
+  username: 'user',
+  has_all_requested: true,
+};
+
+describe('validateEsPrivilegeResponse', () => {
+  const legacyIndexResponse = {
+    [kibanaIndex]: {
+      'create': true,
+      'delete': true,
+      'read': true,
+      'view_index_metadata': true,
+    }
+  };
+
+  it('should validate a proper response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource]: {
+            action1: true,
+            action2: true,
+            action3: true
+          }
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    const result = validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex);
+    expect(result).toEqual(response);
+  });
+
+  it('fails validation when an action is missing in the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource]: {
+            action1: true,
+            action3: true
+          }
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when an extra action is present in the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource]: {
+            action1: true,
+            action2: true,
+            action3: true,
+            action4: true,
+          }
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when an action is malformed in the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource]: {
+            action1: true,
+            action2: true,
+            action3: 'not a boolean',
+          }
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when an extra application is present in the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource]: {
+            action1: true,
+            action2: true,
+            action3: true,
+          }
+        },
+        otherApplication: {
+          [resource]: {
+            action1: true,
+            action2: true,
+            action3: true,
+          }
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when the requested application is missing from the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {},
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when the "application" property is missing from the response', () => {
+    const response = {
+      ...commonResponse,
+      index: {}
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when the expected resource property is missing from the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {}
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when an unexpected resource property is present in the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          'other-resource': {
+            action1: true,
+            action2: true,
+            action3: true,
+          }
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  it('fails validation when the resource propertry is malformed in the response', () => {
+    const response = {
+      ...commonResponse,
+      application: {
+        [application]: {
+          [resource]: 'not-an-object'
+        }
+      },
+      index: legacyIndexResponse
+    };
+
+    expect(() =>
+      validateEsPrivilegeResponse(response, application, ['action1', 'action2', 'action3'], [resource], kibanaIndex)
+    ).toThrowErrorMatchingSnapshot();
+  });
+
+  describe('legacy', () => {
+    it('should validate a proper response', () => {
+      const response = {
+        ...commonResponse,
+        application: {
+          [application]: {
+            [resource]: {
+              action1: true
+            }
+          }
+        },
+        index: legacyIndexResponse
+      };
+
+      const result = validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex);
+      expect(result).toEqual(response);
+    });
+
+    it('should fail if the index property is missing', () => {
+      const response = {
+        ...commonResponse,
+        application: {
+          [application]: {
+            [resource]: {
+              action1: true
+            }
+          }
+        }
+      };
+
+      expect(() =>
+        validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
+      ).toThrowErrorMatchingSnapshot();
+    });
+
+    it('should fail if the kibana index is missing from the response', () => {
+      const response = {
+        ...commonResponse,
+        application: {
+          [application]: {
+            [resource]: {
+              action1: true
+            }
+          }
+        },
+        index: {}
+      };
+
+      expect(() =>
+        validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
+      ).toThrowErrorMatchingSnapshot();
+    });
+
+    it('should fail if the index privilege response returns an extra index', () => {
+      const response = {
+        ...commonResponse,
+        application: {
+          [application]: {
+            [resource]: {
+              action1: true
+            }
+          }
+        },
+        index: {
+          ...legacyIndexResponse,
+          'anotherIndex': {
+            foo: true
+          }
+        }
+      };
+
+      expect(() =>
+        validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
+      ).toThrowErrorMatchingSnapshot();
+    });
+
+    it('should fail if the index privilege response contains an extra privilege', () => {
+      const response = {
+        ...commonResponse,
+        application: {
+          [application]: {
+            [resource]: {
+              action1: true
+            }
+          }
+        },
+        index: {
+          [kibanaIndex]: {
+            ...legacyIndexResponse[kibanaIndex],
+            'foo-permission': true
+          }
+        }
+      };
+
+      expect(() =>
+        validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
+      ).toThrowErrorMatchingSnapshot();
+    });
+
+    buildLegacyIndexPrivileges().forEach(privilege => {
+      test(`should fail if the ${privilege} index privilege is missing from the response`, () => {
+        const response = {
+          ...commonResponse,
+          application: {
+            [application]: {
+              [resource]: {
+                action1: true
+              }
+            }
+          },
+          index: {
+            [kibanaIndex]: {
+              ...legacyIndexResponse[kibanaIndex]
+            }
+          }
+        };
+
+        delete response.index[kibanaIndex][privilege];
+
+        expect(() =>
+          validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
+        ).toThrowErrorMatchingSnapshot();
+      });
+
+      test(`should fail if the ${privilege} index privilege is malformed`, () => {
+        const response = {
+          ...commonResponse,
+          application: {
+            [application]: {
+              [resource]: {
+                action1: true
+              }
+            }
+          },
+          index: {
+            [kibanaIndex]: {
+              ...legacyIndexResponse[kibanaIndex]
+            }
+          }
+        };
+
+        response.index[kibanaIndex][privilege] = 'not a boolean';
+
+        expect(() =>
+          validateEsPrivilegeResponse(response, application, ['action1'], [resource], kibanaIndex)
+        ).toThrowErrorMatchingSnapshot();
+      });
+    });
+  });
+});
diff --git a/x-pack/plugins/security/server/lib/check_license.js b/x-pack/plugins/security/server/lib/check_license.js
index 624f80e64be79d..b1f26ced352ad8 100644
--- a/x-pack/plugins/security/server/lib/check_license.js
+++ b/x-pack/plugins/security/server/lib/check_license.js
@@ -33,6 +33,7 @@ export function checkLicense(xPackInfo) {
       showLinks: false,
       allowRoleDocumentLevelSecurity: false,
       allowRoleFieldLevelSecurity: false,
+      allowRbac: false,
       loginMessage: 'Login is currently disabled. Administrators should consult the Kibana logs for more details.'
     };
   }
@@ -46,6 +47,7 @@ export function checkLicense(xPackInfo) {
       showLinks: false,
       allowRoleDocumentLevelSecurity: false,
       allowRoleFieldLevelSecurity: false,
+      allowRbac: false,
       linksMessage: isLicenseBasic
         ? 'Your Basic license does not support Security. Please upgrade your license.'
         : 'Access is denied because Security is disabled in Elasticsearch.'
@@ -60,6 +62,7 @@ export function checkLicense(xPackInfo) {
     showLinks: true,
     // Only platinum and trial licenses are compliant with field- and document-level security.
     allowRoleDocumentLevelSecurity: isLicensePlatinumOrTrial,
-    allowRoleFieldLevelSecurity: isLicensePlatinumOrTrial
+    allowRoleFieldLevelSecurity: isLicensePlatinumOrTrial,
+    allowRbac: true,
   };
 }
diff --git a/x-pack/plugins/security/server/lib/role_schema.js b/x-pack/plugins/security/server/lib/role_schema.js
deleted file mode 100644
index a38880b89320e2..00000000000000
--- a/x-pack/plugins/security/server/lib/role_schema.js
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import Joi from 'joi';
-
-export const roleSchema = {
-  name: Joi.string().required(),
-  cluster: Joi.array().items(Joi.string()),
-  indices: Joi.array().items({
-    names: Joi.array().items(Joi.string()),
-    field_security: Joi.object().keys({
-      grant: Joi.array().items(Joi.string()),
-      except: Joi.array().items(Joi.string())
-    }),
-    privileges: Joi.array().items(Joi.string()),
-    query: Joi.string().allow('')
-  }),
-  run_as: Joi.array().items(Joi.string()),
-  metadata: Joi.object(),
-  transient_metadata: Joi.object()
-};
\ No newline at end of file
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
new file mode 100644
index 00000000000000..eb19f59c296932
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.js
@@ -0,0 +1,167 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { get, uniq } from 'lodash';
+import { CHECK_PRIVILEGES_RESULT } from '../authorization/check_privileges';
+
+export class SecureSavedObjectsClient {
+  constructor(options) {
+    const {
+      errors,
+      internalRepository,
+      callWithRequestRepository,
+      checkPrivileges,
+      auditLogger,
+      savedObjectTypes,
+      actions,
+    } = options;
+
+    this.errors = errors;
+    this._internalRepository = internalRepository;
+    this._callWithRequestRepository = callWithRequestRepository;
+    this._checkPrivileges = checkPrivileges;
+    this._auditLogger = auditLogger;
+    this._savedObjectTypes = savedObjectTypes;
+    this._actions = actions;
+  }
+
+  async create(type, attributes = {}, options = {}) {
+    return await this._execute(
+      type,
+      'create',
+      { type, attributes, options },
+      repository => repository.create(type, attributes, options),
+    );
+  }
+
+  async bulkCreate(objects, options = {}) {
+    const types = uniq(objects.map(o => o.type));
+    return await this._execute(
+      types,
+      'bulk_create',
+      { objects, options },
+      repository => repository.bulkCreate(objects, options),
+    );
+  }
+
+  async delete(type, id) {
+    return await this._execute(
+      type,
+      'delete',
+      { type, id },
+      repository => repository.delete(type, id),
+    );
+  }
+
+  async find(options = {}) {
+    if (options.type) {
+      return await this._findWithTypes(options);
+    }
+
+    return await this._findAcrossAllTypes(options);
+  }
+
+  async bulkGet(objects = []) {
+    const types = uniq(objects.map(o => o.type));
+    return await this._execute(
+      types,
+      'bulk_get',
+      { objects },
+      repository => repository.bulkGet(objects)
+    );
+  }
+
+  async get(type, id) {
+    return await this._execute(
+      type,
+      'get',
+      { type, id },
+      repository => repository.get(type, id)
+    );
+  }
+
+  async update(type, id, attributes, options = {}) {
+    return await this._execute(
+      type,
+      'update',
+      { type, id, attributes, options },
+      repository => repository.update(type, id, attributes, options)
+    );
+  }
+
+  async _checkSavedObjectPrivileges(actions) {
+    try {
+      return await this._checkPrivileges(actions);
+    } catch(error) {
+      const { reason } = get(error, 'body.error', {});
+      throw this.errors.decorateGeneralError(error, reason);
+    }
+  }
+
+  async _execute(typeOrTypes, action, args, fn) {
+    const types = Array.isArray(typeOrTypes) ? typeOrTypes : [typeOrTypes];
+    const actions = types.map(type => this._actions.getSavedObjectAction(type, action));
+    const { result, username, missing } = await this._checkSavedObjectPrivileges(actions);
+
+    switch (result) {
+      case CHECK_PRIVILEGES_RESULT.AUTHORIZED:
+        this._auditLogger.savedObjectsAuthorizationSuccess(username, action, types, args);
+        return await fn(this._internalRepository);
+      case CHECK_PRIVILEGES_RESULT.LEGACY:
+        return await fn(this._callWithRequestRepository);
+      case CHECK_PRIVILEGES_RESULT.UNAUTHORIZED:
+        this._auditLogger.savedObjectsAuthorizationFailure(username, action, types, missing, args);
+        const msg = `Unable to ${action} ${[...types].sort().join(',')}, missing ${[...missing].sort().join(',')}`;
+        throw this.errors.decorateForbiddenError(new Error(msg));
+      default:
+        throw new Error('Unexpected result from hasPrivileges');
+    }
+  }
+
+  async _findAcrossAllTypes(options) {
+    const action = 'find';
+
+    // we have to filter for only their authorized types
+    const types = this._savedObjectTypes;
+    const typesToPrivilegesMap = new Map(types.map(type => [type, this._actions.getSavedObjectAction(type, action)]));
+    const { result, username, missing } = await this._checkSavedObjectPrivileges(Array.from(typesToPrivilegesMap.values()));
+
+    if (result === CHECK_PRIVILEGES_RESULT.LEGACY) {
+      return await this._callWithRequestRepository.find(options);
+    }
+
+    const authorizedTypes = Array.from(typesToPrivilegesMap.entries())
+      .filter(([ , privilege]) => !missing.includes(privilege))
+      .map(([type]) => type);
+
+    if (authorizedTypes.length === 0) {
+      this._auditLogger.savedObjectsAuthorizationFailure(
+        username,
+        action,
+        types,
+        missing,
+        { options }
+      );
+      throw this.errors.decorateForbiddenError(new Error(`Not authorized to find saved_object`));
+    }
+
+    this._auditLogger.savedObjectsAuthorizationSuccess(username, action, authorizedTypes, { options });
+
+    return await this._internalRepository.find({
+      ...options,
+      type: authorizedTypes
+    });
+  }
+
+  async _findWithTypes(options) {
+    return await this._execute(
+      options.type,
+      'find',
+      { options },
+      repository => repository.find(options)
+    );
+  }
+}
diff --git a/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
new file mode 100644
index 00000000000000..99656772c0df79
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client.test.js
@@ -0,0 +1,1161 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SecureSavedObjectsClient } from './secure_saved_objects_client';
+import { CHECK_PRIVILEGES_RESULT } from '../authorization/check_privileges';
+
+const createMockErrors = () => {
+  const forbiddenError = new Error('Mock ForbiddenError');
+  const generalError = new Error('Mock GeneralError');
+
+  return {
+    forbiddenError,
+    decorateForbiddenError: jest.fn().mockReturnValue(forbiddenError),
+    generalError,
+    decorateGeneralError: jest.fn().mockReturnValue(generalError)
+  };
+};
+
+const createMockAuditLogger = () => {
+  return {
+    savedObjectsAuthorizationFailure: jest.fn(),
+    savedObjectsAuthorizationSuccess: jest.fn(),
+  };
+};
+
+const createMockActions = () => {
+  return {
+    getSavedObjectAction(type, action) {
+      return `mock-action:saved_objects/${type}/${action}`;
+    }
+  };
+};
+
+describe('#errors', () => {
+  test(`assigns errors from constructor to .errors`, () => {
+    const errors = Symbol();
+
+    const client = new SecureSavedObjectsClient({ errors });
+
+    expect(client.errors).toBe(errors);
+  });
+});
+
+describe('#create', () => {
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: mockActions,
+    });
+
+    await expect(client.create(type)).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'create')]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated ForbiddenError when unauthorized`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const mockErrors = createMockErrors();
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username,
+      missing: privileges,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: mockActions,
+    });
+    const attributes = Symbol();
+    const options = Symbol();
+
+    await expect(client.create(type, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'create')]);
+    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+      username,
+      'create',
+      [type],
+      [mockActions.getSavedObjectAction(type, 'create')],
+      {
+        type,
+        attributes,
+        options,
+      }
+    );
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`returns result of internalRepository.create when authorized`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      create: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      internalRepository: mockRepository,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: createMockActions(),
+    });
+    const attributes = Symbol();
+    const options = Symbol();
+
+    const result = await client.create(type, attributes, options);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.create).toHaveBeenCalledWith(type, attributes, options);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'create', [type], {
+      type,
+      attributes,
+      options,
+    });
+  });
+
+  test(`returns result of callWithRequestRepository.create when legacy`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      create: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
+      username,
+      missing: privileges,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      callWithRequestRepository: mockRepository,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: createMockActions(),
+    });
+    const attributes = Symbol();
+    const options = Symbol();
+
+    const result = await client.create(type, attributes, options);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.create).toHaveBeenCalledWith(type, attributes, options);
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+  });
+});
+
+describe('#bulkCreate', () => {
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: mockActions,
+    });
+
+    await expect(client.bulkCreate([{ type }])).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'bulk_create')]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated ForbiddenError when unauthorized`, async () => {
+    const type1 = 'foo';
+    const type2 = 'bar';
+    const username = Symbol();
+    const mockErrors = createMockErrors();
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username,
+      missing: [
+        privileges[0]
+      ],
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: mockActions,
+    });
+    const objects = [
+      { type: type1 },
+      { type: type1 },
+      { type: type2 },
+    ];
+    const options = Symbol();
+
+    await expect(client.bulkCreate(objects, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([
+      mockActions.getSavedObjectAction(type1, 'bulk_create'),
+      mockActions.getSavedObjectAction(type2, 'bulk_create'),
+    ]);
+    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+      username,
+      'bulk_create',
+      [type1, type2],
+      [mockActions.getSavedObjectAction(type1, 'bulk_create')],
+      {
+        objects,
+        options,
+      }
+    );
+  });
+
+  test(`returns result of internalRepository.bulkCreate when authorized`, async () => {
+    const username = Symbol();
+    const type1 = 'foo';
+    const type2 = 'bar';
+    const returnValue = Symbol();
+    const mockRepository = {
+      bulkCreate: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      internalRepository: mockRepository,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: createMockActions(),
+    });
+    const objects = [
+      { type: type1, otherThing: 'sup' },
+      { type: type2, otherThing: 'everyone' },
+    ];
+    const options = Symbol();
+
+    const result = await client.bulkCreate(objects, options);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.bulkCreate).toHaveBeenCalledWith(objects, options);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_create', [type1, type2], {
+      objects,
+      options,
+    });
+  });
+
+  test(`returns result of callWithRequestRepository.bulkCreate when legacy`, async () => {
+    const username = Symbol();
+    const type1 = 'foo';
+    const type2 = 'bar';
+    const returnValue = Symbol();
+    const mockRepository = {
+      bulkCreate: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
+      username,
+      missing: privileges,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      callWithRequestRepository: mockRepository,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: createMockActions(),
+    });
+    const objects = [
+      { type: type1, otherThing: 'sup' },
+      { type: type2, otherThing: 'everyone' },
+    ];
+    const options = Symbol();
+
+    const result = await client.bulkCreate(objects, options);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.bulkCreate).toHaveBeenCalledWith(objects, options);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+});
+
+describe('#delete', () => {
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: mockActions,
+    });
+
+    await expect(client.delete(type)).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'delete')]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated ForbiddenError when unauthorized`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const mockErrors = createMockErrors();
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username,
+      missing: privileges,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: mockActions,
+    });
+    const id = Symbol();
+
+    await expect(client.delete(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
+
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'delete')]);
+    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+      username,
+      'delete',
+      [type],
+      [mockActions.getSavedObjectAction(type, 'delete')],
+      {
+        type,
+        id,
+      }
+    );
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`returns result of internalRepository.delete when authorized`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      delete: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      internalRepository: mockRepository,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: createMockActions(),
+    });
+    const id = Symbol();
+
+    const result = await client.delete(type, id);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.delete).toHaveBeenCalledWith(type, id);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'delete', [type], {
+      type,
+      id,
+    });
+  });
+
+  test(`returns result of internalRepository.delete when legacy`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      delete: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
+      username,
+      missing: privileges,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      callWithRequestRepository: mockRepository,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: createMockActions(),
+    });
+    const id = Symbol();
+
+    const result = await client.delete(type, id);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.delete).toHaveBeenCalledWith(type, id);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+});
+
+describe('#find', () => {
+  describe('type', () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const type = 'foo';
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
+        throw new Error();
+      });
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        checkPrivileges: mockCheckPrivileges,
+        auditLogger: mockAuditLogger,
+        actions: mockActions,
+      });
+
+      await expect(client.find({ type })).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when type's singular and unauthorized`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const mockRepository = {};
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+        username,
+        missing: privileges,
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        internalRepository: mockRepository,
+        checkPrivileges: mockCheckPrivileges,
+        auditLogger: mockAuditLogger,
+        actions: mockActions,
+      });
+      const options = { type };
+
+      await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'find',
+        [type],
+        [mockActions.getSavedObjectAction(type, 'find')],
+        {
+          options
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when type's an array and unauthorized`, async () => {
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const username = Symbol();
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => {
+        return {
+          result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+          username,
+          missing: [
+            privileges[0]
+          ],
+        };
+      });
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        checkPrivileges: mockCheckPrivileges,
+        auditLogger: mockAuditLogger,
+        actions: mockActions,
+      });
+      const options = { type: [ type1, type2 ] };
+
+      await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([
+        mockActions.getSavedObjectAction(type1, 'find'),
+        mockActions.getSavedObjectAction(type2, 'find')
+      ]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'find',
+        [type1, type2],
+        [mockActions.getSavedObjectAction(type1, 'find')],
+        {
+          options
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`returns result of internalRepository.find when authorized`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockRepository = {
+        find: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+        result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+        username,
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        internalRepository: mockRepository,
+        checkPrivileges: mockCheckPrivileges,
+        auditLogger: mockAuditLogger,
+        actions: createMockActions(),
+      });
+      const options = { type };
+
+      const result = await client.find(options);
+
+      expect(result).toBe(returnValue);
+      expect(mockRepository.find).toHaveBeenCalledWith({ type });
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'find', [type], {
+        options,
+      });
+    });
+
+    test(`returns result of callWithRequestRepository.find when legacy`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockRepository = {
+        find: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+        result: CHECK_PRIVILEGES_RESULT.LEGACY,
+        username,
+        missing: privileges,
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        callWithRequestRepository: mockRepository,
+        checkPrivileges: mockCheckPrivileges,
+        auditLogger: mockAuditLogger,
+        actions: createMockActions(),
+      });
+      const options = { type };
+
+      const result = await client.find(options);
+
+      expect(result).toBe(returnValue);
+      expect(mockRepository.find).toHaveBeenCalledWith({ type });
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('no type', () => {
+    test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const mockRepository = {};
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
+        throw new Error();
+      });
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        repository: mockRepository,
+        checkPrivileges: mockCheckPrivileges,
+        auditLogger: mockAuditLogger,
+        savedObjectTypes: [type1, type2],
+        actions: mockActions,
+      });
+
+      await expect(client.find()).rejects.toThrowError(mockErrors.generalError);
+
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([
+        mockActions.getSavedObjectAction(type1, 'find'),
+        mockActions.getSavedObjectAction(type2, 'find'),
+      ]);
+      expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`throws decorated ForbiddenError when unauthorized`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const mockRepository = {};
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+        username,
+        missing: [
+          privileges[0]
+        ],
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        repository: mockRepository,
+        checkPrivileges: mockCheckPrivileges,
+        auditLogger: mockAuditLogger,
+        savedObjectTypes: [type],
+        actions: mockActions,
+      });
+      const options = Symbol();
+
+      await expect(client.find(options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
+      expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+        username,
+        'find',
+        [type],
+        [mockActions.getSavedObjectAction(type, 'find')],
+        {
+          options
+        }
+      );
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`returns result of callWithRequestRepository.find when legacy`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockRepository = {
+        find: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+        result: CHECK_PRIVILEGES_RESULT.LEGACY,
+        username,
+        missing: privileges,
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        callWithRequestRepository: mockRepository,
+        checkPrivileges: mockCheckPrivileges,
+        auditLogger: mockAuditLogger,
+        savedObjectTypes: [type],
+        actions: mockActions,
+      });
+      const options = Symbol();
+
+      const result = await client.find(options);
+
+      expect(result).toBe(returnValue);
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'find')]);
+      expect(mockRepository.find).toHaveBeenCalledWith(options);
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+    });
+
+    test(`specifies authorized types when calling repository.find()`, async () => {
+      const type1 = 'foo';
+      const type2 = 'bar';
+      const mockRepository = {
+        find: jest.fn(),
+      };
+      const mockErrors = createMockErrors();
+      const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+        result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+        missing: [
+          privileges[0]
+        ]
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const mockActions = createMockActions();
+      const client = new SecureSavedObjectsClient({
+        errors: mockErrors,
+        internalRepository: mockRepository,
+        checkPrivileges: mockCheckPrivileges,
+        auditLogger: mockAuditLogger,
+        savedObjectTypes: [type1, type2],
+        actions: mockActions,
+      });
+
+      await client.find();
+
+      expect(mockCheckPrivileges).toHaveBeenCalledWith([
+        mockActions.getSavedObjectAction(type1, 'find'),
+        mockActions.getSavedObjectAction(type2, 'find'),
+      ]);
+      expect(mockRepository.find).toHaveBeenCalledWith(expect.objectContaining({
+        type: [type2]
+      }));
+    });
+
+    test(`returns result of repository.find`, async () => {
+      const type = 'foo';
+      const username = Symbol();
+      const returnValue = Symbol();
+      const mockRepository = {
+        find: jest.fn().mockReturnValue(returnValue)
+      };
+      const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+        result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+        username,
+        missing: [],
+      }));
+      const mockAuditLogger = createMockAuditLogger();
+      const client = new SecureSavedObjectsClient({
+        internalRepository: mockRepository,
+        checkPrivileges: mockCheckPrivileges,
+        auditLogger: mockAuditLogger,
+        savedObjectTypes: [type],
+        actions: createMockActions(),
+      });
+      const options = Symbol();
+
+      const result = await client.find(options);
+
+      expect(result).toBe(returnValue);
+      expect(mockRepository.find).toHaveBeenCalledWith({ type: [type] });
+      expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+      expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'find', [type], {
+        options,
+      });
+    });
+  });
+});
+
+describe('#bulkGet', () => {
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: mockActions,
+    });
+
+    await expect(client.bulkGet([{ type }])).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'bulk_get')]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated ForbiddenError when unauthorized`, async () => {
+    const type1 = 'foo';
+    const type2 = 'bar';
+    const username = Symbol();
+    const mockErrors = createMockErrors();
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username,
+      missing: [
+        privileges[0]
+      ],
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: mockActions,
+    });
+    const objects = [
+      { type: type1 },
+      { type: type1 },
+      { type: type2 },
+    ];
+
+    await expect(client.bulkGet(objects)).rejects.toThrowError(mockErrors.forbiddenError);
+
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([
+      mockActions.getSavedObjectAction(type1, 'bulk_get'),
+      mockActions.getSavedObjectAction(type2, 'bulk_get'),
+    ]);
+    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+      username,
+      'bulk_get',
+      [type1, type2],
+      [mockActions.getSavedObjectAction(type1, 'bulk_get')],
+      {
+        objects
+      }
+    );
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`returns result of internalRepository.bulkGet when authorized`, async () => {
+    const type1 = 'foo';
+    const type2 = 'bar';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      bulkGet: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      internalRepository: mockRepository,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: createMockActions(),
+    });
+    const objects = [
+      { type: type1, id: 'foo-id' },
+      { type: type2, id: 'bar-id' },
+    ];
+
+    const result = await client.bulkGet(objects);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'bulk_get', [type1, type2], {
+      objects,
+    });
+  });
+
+  test(`returns result of callWithRequestRepository.bulkGet when legacy`, async () => {
+    const type1 = 'foo';
+    const type2 = 'bar';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      bulkGet: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
+      username,
+      missing: privileges,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      callWithRequestRepository: mockRepository,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: createMockActions(),
+    });
+    const objects = [
+      { type: type1, id: 'foo-id' },
+      { type: type2, id: 'bar-id' },
+    ];
+
+    const result = await client.bulkGet(objects);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.bulkGet).toHaveBeenCalledWith(objects);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+});
+
+describe('#get', () => {
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: mockActions,
+    });
+
+    await expect(client.get(type)).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'get')]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated ForbiddenError when unauthorized`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const mockErrors = createMockErrors();
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username,
+      missing: privileges,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: mockActions,
+    });
+    const id = Symbol();
+
+    await expect(client.get(type, id)).rejects.toThrowError(mockErrors.forbiddenError);
+
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'get')]);
+    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+      username,
+      'get',
+      [type],
+      [mockActions.getSavedObjectAction(type, 'get')],
+      {
+        type,
+        id,
+      }
+    );
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`returns result of internalRepository.get when authorized`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      get: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      internalRepository: mockRepository,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: createMockActions(),
+    });
+    const id = Symbol();
+
+    const result = await client.get(type, id);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.get).toHaveBeenCalledWith(type, id);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'get', [type], {
+      type,
+      id,
+    });
+  });
+
+  test(`returns result of callWithRequestRepository.get when user isn't authorized and has legacy fallback`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      get: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
+      username,
+      missing: privileges,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      callWithRequestRepository: mockRepository,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: createMockActions(),
+    });
+    const id = Symbol();
+
+    const result = await client.get(type, id);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.get).toHaveBeenCalledWith(type, id);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+});
+
+describe('#update', () => {
+  test(`throws decorated GeneralError when hasPrivileges rejects promise`, async () => {
+    const type = 'foo';
+    const mockErrors = createMockErrors();
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => {
+      throw new Error();
+    });
+    const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: mockActions,
+    });
+
+    await expect(client.update(type)).rejects.toThrowError(mockErrors.generalError);
+
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'update')]);
+    expect(mockErrors.decorateGeneralError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`throws decorated ForbiddenError when unauthorized`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const mockErrors = createMockErrors();
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+      result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED,
+      username,
+      missing: privileges,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const mockActions = createMockActions();
+    const client = new SecureSavedObjectsClient({
+      errors: mockErrors,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: mockActions,
+    });
+    const id = Symbol();
+    const attributes = Symbol();
+    const options = Symbol();
+
+    await expect(client.update(type, id, attributes, options)).rejects.toThrowError(mockErrors.forbiddenError);
+
+    expect(mockCheckPrivileges).toHaveBeenCalledWith([mockActions.getSavedObjectAction(type, 'update')]);
+    expect(mockErrors.decorateForbiddenError).toHaveBeenCalledTimes(1);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).toHaveBeenCalledWith(
+      username,
+      'update',
+      [type],
+      [mockActions.getSavedObjectAction(type, 'update')],
+      {
+        type,
+        id,
+        attributes,
+        options,
+      }
+    );
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+
+  test(`returns result of repository.update when authorized`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      update: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockCheckPrivileges = jest.fn().mockImplementation(async () => ({
+      result: CHECK_PRIVILEGES_RESULT.AUTHORIZED,
+      username,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      internalRepository: mockRepository,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: createMockActions(),
+    });
+    const id = Symbol();
+    const attributes = Symbol();
+    const options = Symbol();
+
+    const result = await client.update(type, id, attributes, options);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.update).toHaveBeenCalledWith(type, id, attributes, options);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).toHaveBeenCalledWith(username, 'update', [type], {
+      type,
+      id,
+      attributes,
+      options,
+    });
+  });
+
+  test(`returns result of repository.update when legacy`, async () => {
+    const type = 'foo';
+    const username = Symbol();
+    const returnValue = Symbol();
+    const mockRepository = {
+      update: jest.fn().mockReturnValue(returnValue)
+    };
+    const mockCheckPrivileges = jest.fn().mockImplementation(async privileges => ({
+      result: CHECK_PRIVILEGES_RESULT.LEGACY,
+      username,
+      missing: privileges,
+    }));
+    const mockAuditLogger = createMockAuditLogger();
+    const client = new SecureSavedObjectsClient({
+      callWithRequestRepository: mockRepository,
+      checkPrivileges: mockCheckPrivileges,
+      auditLogger: mockAuditLogger,
+      actions: createMockActions(),
+    });
+    const id = Symbol();
+    const attributes = Symbol();
+    const options = Symbol();
+
+    const result = await client.update(type, id, attributes, options);
+
+    expect(result).toBe(returnValue);
+    expect(mockRepository.update).toHaveBeenCalledWith(type, id, attributes, options);
+    expect(mockAuditLogger.savedObjectsAuthorizationFailure).not.toHaveBeenCalled();
+    expect(mockAuditLogger.savedObjectsAuthorizationSuccess).not.toHaveBeenCalled();
+  });
+});
diff --git a/x-pack/plugins/security/server/lib/validate_config.js b/x-pack/plugins/security/server/lib/validate_config.js
index af62d81e344ff7..49c9ba94ffd57f 100644
--- a/x-pack/plugins/security/server/lib/validate_config.js
+++ b/x-pack/plugins/security/server/lib/validate_config.js
@@ -27,4 +27,4 @@ export function validateConfig(config, log) {
   } else {
     config.set('xpack.security.secureCookies', true);
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
new file mode 100644
index 00000000000000..28cbbbb04c93d4
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js
@@ -0,0 +1,81 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import * as Rx from 'rxjs';
+import { catchError, mergeMap, map, switchMap, tap } from 'rxjs/operators';
+
+export const RETRY_SCALE_DURATION = 100;
+export const RETRY_DURATION_MAX = 10000;
+
+const calculateDuration = i => {
+  const duration = i * RETRY_SCALE_DURATION;
+  if (duration > RETRY_DURATION_MAX) {
+    return RETRY_DURATION_MAX;
+  }
+
+  return duration;
+};
+
+// we can't use a retryWhen here, because we want to propagate the red status and then retry
+const propagateRedStatusAndScaleRetry = () => {
+  let i = 0;
+  return (err, caught) =>
+    Rx.concat(
+      Rx.of({
+        state: 'red',
+        message: err.message
+      }),
+      Rx.timer(calculateDuration(++i)).pipe(mergeMap(() => caught))
+    );
+};
+
+export function watchStatusAndLicenseToInitialize(xpackMainPlugin, downstreamPlugin, initialize) {
+  const xpackInfo = xpackMainPlugin.info;
+  const xpackInfoFeature = xpackInfo.feature(downstreamPlugin.id);
+
+  const upstreamStatus = xpackMainPlugin.status;
+  const currentStatus$ = Rx
+    .of({
+      state: upstreamStatus.state,
+      message: upstreamStatus.message,
+    });
+  const newStatus$ = Rx
+    .fromEvent(upstreamStatus, 'change', null, (previousState, previousMsg, state, message) => {
+      return {
+        state,
+        message,
+      };
+    });
+  const status$ = Rx.merge(currentStatus$, newStatus$);
+
+  const currentLicense$ = Rx.of(xpackInfoFeature.getLicenseCheckResults());
+  const newLicense$ = Rx
+    .fromEventPattern(xpackInfo.onLicenseInfoChange.bind(xpackInfo))
+    .pipe(map(() => xpackInfoFeature.getLicenseCheckResults()));
+  const license$ = Rx.merge(currentLicense$, newLicense$);
+
+  Rx.combineLatest(status$, license$)
+    .pipe(
+      map(([status, license]) => ({ status, license })),
+      switchMap(({ status, license }) => {
+        if (status.state !== 'green') {
+          return Rx.of({ state: status.state, message: status.message });
+        }
+
+        return Rx.defer(() => initialize(license))
+          .pipe(
+            map(() => ({
+              state: 'green',
+              message: 'Ready',
+            })),
+            catchError(propagateRedStatusAndScaleRetry())
+          );
+      }),
+      tap(({ state, message }) => {
+        downstreamPlugin.status[state](message);
+      })
+    )
+    .subscribe();
+}
diff --git a/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
new file mode 100644
index 00000000000000..d56598b9d01111
--- /dev/null
+++ b/x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.test.js
@@ -0,0 +1,296 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { EventEmitter } from 'events';
+import { watchStatusAndLicenseToInitialize, RETRY_SCALE_DURATION, RETRY_DURATION_MAX } from './watch_status_and_license_to_initialize';
+
+const createMockXpackMainPluginAndFeature = (featureId) => {
+  const licenseChangeCallbacks = [];
+
+  const mockFeature = {
+    getLicenseCheckResults: jest.fn(),
+    mock: {
+      triggerLicenseChange: () => {
+        for (const callback of licenseChangeCallbacks) {
+          callback();
+        }
+      },
+      setLicenseCheckResults: (value) => {
+        mockFeature.getLicenseCheckResults.mockReturnValue(value);
+      }
+    }
+  };
+
+  const mockXpackMainPlugin = {
+    info: {
+      onLicenseInfoChange: (callback) => {
+        licenseChangeCallbacks.push(callback);
+      },
+      feature: (id) => {
+        if (id === featureId) {
+          return mockFeature;
+        }
+        throw new Error('Unexpected feature');
+      }
+    },
+    status: new EventEmitter(),
+    mock: {
+      setStatus: (state, message) => {
+        mockXpackMainPlugin.status.state = state;
+        mockXpackMainPlugin.status.message = message;
+        mockXpackMainPlugin.status.emit('change', null, null, state, message);
+      }
+    }
+  };
+
+  return { mockXpackMainPlugin, mockFeature };
+};
+
+const createMockDownstreamPlugin = (id) => {
+  const defaultImplementation = () => { throw new Error('Not implemented'); };
+  return {
+    id,
+    status: {
+      disabled: jest.fn().mockImplementation(defaultImplementation),
+      yellow: jest.fn().mockImplementation(defaultImplementation),
+      green: jest.fn().mockImplementation(defaultImplementation),
+      red: jest.fn().mockImplementation(defaultImplementation),
+    },
+  };
+};
+
+const advanceRetry = async (initializeCount) => {
+  await Promise.resolve();
+  let duration = initializeCount * RETRY_SCALE_DURATION;
+  if (duration > RETRY_DURATION_MAX) {
+    duration = RETRY_DURATION_MAX;
+  }
+  jest.advanceTimersByTime(duration);
+};
+
+['red', 'yellow', 'disabled'].forEach(state => {
+  test(`mirrors ${state} immediately`, () => {
+    const pluginId = 'foo-plugin';
+    const message = `${state} is now the state`;
+    const { mockXpackMainPlugin } = createMockXpackMainPluginAndFeature(pluginId);
+    mockXpackMainPlugin.mock.setStatus(state, message);
+    const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+    const initializeMock = jest.fn();
+    downstreamPlugin.status[state].mockImplementation(() => { });
+
+    watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+
+    expect(initializeMock).not.toHaveBeenCalled();
+    expect(downstreamPlugin.status[state]).toHaveBeenCalledTimes(1);
+    expect(downstreamPlugin.status[state]).toHaveBeenCalledWith(message);
+  });
+});
+
+test(`calls initialize and doesn't immediately set downstream status when the initial status is green`, () => {
+  const pluginId = 'foo-plugin';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green', 'green is now the state');
+  const licenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+  const initializeMock = jest.fn().mockImplementation(() => new Promise(() => { }));
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+
+  expect(initializeMock).toHaveBeenCalledTimes(1);
+  expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
+  expect(downstreamPlugin.status.green).toHaveBeenCalledTimes(0);
+});
+
+test(`sets downstream plugin's status to green when initialize resolves`, (done) => {
+  const pluginId = 'foo-plugin';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green', 'green is now the state');
+  const licenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+  const initializeMock = jest.fn().mockImplementation(() => Promise.resolve());
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+
+  expect(initializeMock).toHaveBeenCalledTimes(1);
+  expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
+  downstreamPlugin.status.green.mockImplementation(actualMessage => {
+    expect(actualMessage).toBe('Ready');
+    done();
+  });
+});
+
+test(`sets downstream plugin's status to red when initialize initially rejects, and continually polls initialize`, (done) => {
+  jest.useFakeTimers();
+
+  const pluginId = 'foo-plugin';
+  const errorMessage = 'the error message';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green');
+  const licenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+
+  let isRed = false;
+  let initializeCount = 0;
+  const initializeMock = jest.fn().mockImplementation(() => {
+    ++initializeCount;
+
+    // on the second retry, ensure we already set the status to red
+    if (initializeCount === 2) {
+      expect(isRed).toBe(true);
+    }
+
+    // this should theoretically continue indefinitely, but we only have so long to run the tests
+    if (initializeCount === 100) {
+      done();
+    }
+
+    // everytime this is called, we have to wait for a new promise to be resolved
+    // allowing the Promise the we return below to run, and then advance the timers
+    setImmediate(() => {
+      advanceRetry(initializeCount);
+    });
+    return Promise.reject(new Error(errorMessage));
+  });
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+
+  expect(initializeMock).toHaveBeenCalledTimes(1);
+  expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
+  downstreamPlugin.status.red.mockImplementation(message => {
+    isRed = true;
+    expect(message).toBe(errorMessage);
+  });
+});
+
+test(`sets downstream plugin's status to green when initialize resolves after rejecting 10 times`, (done) => {
+  jest.useFakeTimers();
+
+  const pluginId = 'foo-plugin';
+  const errorMessage = 'the error message';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green');
+  const licenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+
+  let initializeCount = 0;
+  const initializeMock = jest.fn().mockImplementation(() => {
+    ++initializeCount;
+
+    // everytime this is called, we have to wait for a new promise to be resolved
+    // allowing the Promise the we return below to run, and then advance the timers
+    setImmediate(() => {
+      advanceRetry(initializeCount);
+    });
+
+    if (initializeCount >= 10) {
+      return Promise.resolve();
+    }
+
+    return Promise.reject(new Error(errorMessage));
+  });
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+
+  expect(initializeMock).toHaveBeenCalledTimes(1);
+  expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
+  downstreamPlugin.status.red.mockImplementation(message => {
+    expect(initializeCount).toBeLessThan(10);
+    expect(message).toBe(errorMessage);
+  });
+  downstreamPlugin.status.green.mockImplementation(message => {
+    expect(initializeCount).toBe(10);
+    expect(message).toBe('Ready');
+    done();
+  });
+});
+
+test(`calls initialize twice when it gets a new license and the status is green`, (done) => {
+  const pluginId = 'foo-plugin';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green');
+  const firstLicenseCheckResults = Symbol();
+  const secondLicenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(firstLicenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+  const initializeMock = jest.fn().mockImplementation(() => Promise.resolve());
+
+  let count = 0;
+  downstreamPlugin.status.green.mockImplementation(message => {
+    expect(message).toBe('Ready');
+    ++count;
+    if (count === 1) {
+      mockFeature.mock.setLicenseCheckResults(secondLicenseCheckResults);
+      mockFeature.mock.triggerLicenseChange();
+    }
+    if (count === 2) {
+      expect(initializeMock).toHaveBeenCalledWith(firstLicenseCheckResults);
+      expect(initializeMock).toHaveBeenCalledWith(secondLicenseCheckResults);
+      expect(initializeMock).toHaveBeenCalledTimes(2);
+      done();
+    }
+  });
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+});
+
+test(`doesn't call initialize twice when it gets a new license when the status isn't green`, (done) => {
+  const pluginId = 'foo-plugin';
+  const redMessage = 'the red message';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green');
+  const firstLicenseCheckResults = Symbol();
+  const secondLicenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(firstLicenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+  const initializeMock = jest.fn().mockImplementation(() => Promise.resolve());
+
+  downstreamPlugin.status.green.mockImplementation(message => {
+    expect(message).toBe('Ready');
+    mockXpackMainPlugin.mock.setStatus('red', redMessage);
+    mockFeature.mock.setLicenseCheckResults(secondLicenseCheckResults);
+    mockFeature.mock.triggerLicenseChange();
+  });
+
+  downstreamPlugin.status.red.mockImplementation(message => {
+    expect(message).toBe(redMessage);
+    expect(initializeMock).toHaveBeenCalledTimes(1);
+    expect(initializeMock).toHaveBeenCalledWith(firstLicenseCheckResults);
+    done();
+  });
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+});
+
+test(`calls initialize twice when the status changes to green twice`, (done) => {
+  const pluginId = 'foo-plugin';
+  const { mockXpackMainPlugin, mockFeature } = createMockXpackMainPluginAndFeature(pluginId);
+  mockXpackMainPlugin.mock.setStatus('green');
+  const licenseCheckResults = Symbol();
+  mockFeature.mock.setLicenseCheckResults(licenseCheckResults);
+  const downstreamPlugin = createMockDownstreamPlugin(pluginId);
+  const initializeMock = jest.fn().mockImplementation(() => Promise.resolve());
+
+  let count = 0;
+  downstreamPlugin.status.green.mockImplementation(message => {
+    expect(message).toBe('Ready');
+    ++count;
+    if (count === 1) {
+      mockXpackMainPlugin.mock.setStatus('green');
+    }
+    if (count === 2) {
+      expect(initializeMock).toHaveBeenCalledWith(licenseCheckResults);
+      expect(initializeMock).toHaveBeenCalledTimes(2);
+      done();
+    }
+  });
+
+  watchStatusAndLicenseToInitialize(mockXpackMainPlugin, downstreamPlugin, initializeMock);
+});
+
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/delete.js b/x-pack/plugins/security/server/routes/api/public/roles/delete.js
new file mode 100644
index 00000000000000..697a9bd32df1b9
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/delete.js
@@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import _ from 'lodash';
+import Joi from 'joi';
+import { wrapError } from '../../../../lib/errors';
+
+export function initDeleteRolesApi(server, callWithRequest, routePreCheckLicenseFn) {
+  server.route({
+    method: 'DELETE',
+    path: '/api/security/role/{name}',
+    handler(request, reply) {
+      const name = request.params.name;
+      return callWithRequest(request, 'shield.deleteRole', { name }).then(
+        () => reply().code(204),
+        _.flow(wrapError, reply));
+    },
+    config: {
+      validate: {
+        params: Joi.object()
+          .keys({
+            name: Joi.string()
+              .required(),
+          })
+          .required(),
+      },
+      pre: [routePreCheckLicenseFn]
+    }
+  });
+}
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/delete.test.js b/x-pack/plugins/security/server/routes/api/public/roles/delete.test.js
new file mode 100644
index 00000000000000..0337b8e8b9f661
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/delete.test.js
@@ -0,0 +1,125 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Hapi from 'hapi';
+import Boom from 'boom';
+import { initDeleteRolesApi } from './delete';
+
+const createMockServer = () => {
+  const mockServer = new Hapi.Server({ debug: false });
+  mockServer.connection({ port: 8080 });
+  return mockServer;
+};
+
+const defaultPreCheckLicenseImpl = (request, reply) => reply();
+
+describe('DELETE role', () => {
+  const deleteRoleTest = (
+    description,
+    {
+      name,
+      preCheckLicenseImpl,
+      callWithRequestImpl,
+      asserts,
+    }
+  ) => {
+    test(description, async () => {
+      const mockServer = createMockServer();
+      const pre = jest.fn().mockImplementation(preCheckLicenseImpl);
+      const mockCallWithRequest = jest.fn();
+      if (callWithRequestImpl) {
+        mockCallWithRequest.mockImplementation(callWithRequestImpl);
+      }
+      initDeleteRolesApi(mockServer, mockCallWithRequest, pre);
+      const headers = {
+        authorization: 'foo',
+      };
+
+      const request = {
+        method: 'DELETE',
+        url: `/api/security/role/${name}`,
+        headers,
+      };
+      const { result, statusCode } = await mockServer.inject(request);
+
+      if (preCheckLicenseImpl) {
+        expect(pre).toHaveBeenCalled();
+      } else {
+        expect(pre).not.toHaveBeenCalled();
+      }
+
+      if (callWithRequestImpl) {
+        expect(mockCallWithRequest).toHaveBeenCalledWith(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: headers.authorization,
+            }),
+          }),
+          'shield.deleteRole',
+          { name },
+        );
+      } else {
+        expect(mockCallWithRequest).not.toHaveBeenCalled();
+      }
+      expect(statusCode).toBe(asserts.statusCode);
+      expect(result).toEqual(asserts.result);
+    });
+  };
+
+  describe('failure', () => {
+    deleteRoleTest(`requires name in params`, {
+      name: '',
+      asserts: {
+        statusCode: 404,
+        result: {
+          error: 'Not Found',
+          statusCode: 404,
+        },
+      },
+    });
+
+    deleteRoleTest(`returns result of routePreCheckLicense`, {
+      preCheckLicenseImpl: (request, reply) =>
+        reply(Boom.forbidden('test forbidden message')),
+      asserts: {
+        statusCode: 403,
+        result: {
+          error: 'Forbidden',
+          statusCode: 403,
+          message: 'test forbidden message',
+        },
+      },
+    });
+
+    deleteRoleTest(`returns error from callWithRequest`, {
+      name: 'foo-role',
+      preCheckLicenseImpl: defaultPreCheckLicenseImpl,
+      callWithRequestImpl: async () => {
+        throw Boom.notFound('test not found message');
+      },
+      asserts: {
+        statusCode: 404,
+        result: {
+          error: 'Not Found',
+          statusCode: 404,
+          message: 'test not found message',
+        },
+      },
+    });
+  });
+
+  describe('success', () => {
+    deleteRoleTest(`deletes role`, {
+      name: 'foo-role',
+      preCheckLicenseImpl: defaultPreCheckLicenseImpl,
+      callWithRequestImpl: async () => {},
+      asserts: {
+        statusCode: 204,
+        result: null
+      }
+    });
+  });
+});
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/get.js b/x-pack/plugins/security/server/routes/api/public/roles/get.js
new file mode 100644
index 00000000000000..9ae89a97c36f1a
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/get.js
@@ -0,0 +1,78 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import _ from 'lodash';
+import Boom from 'boom';
+import { ALL_RESOURCE } from '../../../../../common/constants';
+import { wrapError } from '../../../../lib/errors';
+
+export function initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn, application) {
+
+  const transformKibanaApplicationsFromEs = (roleApplications) => {
+    return roleApplications
+      .filter(roleApplication => roleApplication.application === application)
+      .filter(roleApplication => roleApplication.resources.length > 0)
+      .filter(roleApplication => roleApplication.resources.every(resource => resource === ALL_RESOURCE))
+      .map(roleApplication => ({ privileges: roleApplication.privileges }));
+  };
+
+  const transformUnrecognizedApplicationsFromEs = (roleApplications) => {
+    return _.uniq(roleApplications
+      .filter(roleApplication => roleApplication.application !== application)
+      .map(roleApplication => roleApplication.application));
+  };
+
+  const transformRoleFromEs = (role, name) => {
+    return {
+      name,
+      metadata: role.metadata,
+      transient_metadata: role.transient_metadata,
+      elasticsearch: {
+        cluster: role.cluster,
+        indices: role.indices,
+        run_as: role.run_as,
+      },
+      kibana: transformKibanaApplicationsFromEs(role.applications),
+      _unrecognized_applications: transformUnrecognizedApplicationsFromEs(role.applications),
+    };
+  };
+
+  const transformRolesFromEs = (roles) => {
+    return _.map(roles, (role, name) => transformRoleFromEs(role, name));
+  };
+
+  server.route({
+    method: 'GET',
+    path: '/api/security/role',
+    handler(request, reply) {
+      return callWithRequest(request, 'shield.getRole').then(
+        (response) => {
+          return reply(transformRolesFromEs(response));
+        },
+        _.flow(wrapError, reply)
+      );
+    },
+    config: {
+      pre: [routePreCheckLicenseFn]
+    }
+  });
+
+  server.route({
+    method: 'GET',
+    path: '/api/security/role/{name}',
+    handler(request, reply) {
+      const name = request.params.name;
+      return callWithRequest(request, 'shield.getRole', { name }).then(
+        (response) => {
+          if (response[name]) return reply(transformRoleFromEs(response[name], name));
+          return reply(Boom.notFound());
+        },
+        _.flow(wrapError, reply));
+    },
+    config: {
+      pre: [routePreCheckLicenseFn]
+    }
+  });
+}
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/get.test.js b/x-pack/plugins/security/server/routes/api/public/roles/get.test.js
new file mode 100644
index 00000000000000..a8dd3a38bdeb91
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/get.test.js
@@ -0,0 +1,577 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import Hapi from 'hapi';
+import Boom from 'boom';
+import { initGetRolesApi } from './get';
+
+const application = 'kibana-.kibana';
+
+const createMockServer = () => {
+  const mockServer = new Hapi.Server({ debug: false });
+  mockServer.connection({ port: 8080 });
+  return mockServer;
+};
+
+describe('GET roles', () => {
+  const getRolesTest = (
+    description,
+    {
+      preCheckLicenseImpl = (request, reply) => reply(),
+      callWithRequestImpl,
+      asserts,
+    }
+  ) => {
+    test(description, async () => {
+      const mockServer = createMockServer();
+      const pre = jest.fn().mockImplementation(preCheckLicenseImpl);
+      const mockCallWithRequest = jest.fn();
+      if (callWithRequestImpl) {
+        mockCallWithRequest.mockImplementation(callWithRequestImpl);
+      }
+      initGetRolesApi(mockServer, mockCallWithRequest, pre, application);
+      const headers = {
+        authorization: 'foo',
+      };
+
+      const request = {
+        method: 'GET',
+        url: '/api/security/role',
+        headers,
+      };
+      const { result, statusCode } = await mockServer.inject(request);
+
+      expect(pre).toHaveBeenCalled();
+      if (callWithRequestImpl) {
+        expect(mockCallWithRequest).toHaveBeenCalledWith(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: headers.authorization,
+            }),
+          }),
+          'shield.getRole'
+        );
+      } else {
+        expect(mockCallWithRequest).not.toHaveBeenCalled();
+      }
+      expect(statusCode).toBe(asserts.statusCode);
+      expect(result).toEqual(asserts.result);
+    });
+  };
+
+  describe('failure', () => {
+    getRolesTest(`returns result of routePreCheckLicense`, {
+      preCheckLicenseImpl: (request, reply) =>
+        reply(Boom.forbidden('test forbidden message')),
+      asserts: {
+        statusCode: 403,
+        result: {
+          error: 'Forbidden',
+          statusCode: 403,
+          message: 'test forbidden message',
+        },
+      },
+    });
+
+    getRolesTest(`returns error from callWithRequest`, {
+      callWithRequestImpl: async () => {
+        throw Boom.notAcceptable('test not acceptable message');
+      },
+      asserts: {
+        statusCode: 406,
+        result: {
+          error: 'Not Acceptable',
+          statusCode: 406,
+          message: 'test not acceptable message',
+        },
+      },
+    });
+  });
+
+  describe('success', () => {
+    getRolesTest(`transforms elasticsearch privileges`, {
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: ['manage_watcher'],
+          indices: [
+            {
+              names: ['.kibana*'],
+              privileges: ['read', 'view_index_metadata'],
+            },
+          ],
+          applications: [],
+          run_as: ['other_user'],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: [
+          {
+            name: 'first_role',
+            metadata: {
+              _reserved: true,
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+            elasticsearch: {
+              cluster: ['manage_watcher'],
+              indices: [
+                {
+                  names: ['.kibana*'],
+                  privileges: ['read', 'view_index_metadata'],
+                },
+              ],
+              run_as: ['other_user'],
+            },
+            kibana: [],
+            _unrecognized_applications: [],
+          },
+        ],
+      },
+    });
+
+    getRolesTest(`transforms matching applications to kibana privileges`, {
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application,
+              privileges: ['read'],
+              resources: ['*'],
+            },
+            {
+              application,
+              privileges: ['all'],
+              resources: ['*'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: [
+          {
+            name: 'first_role',
+            metadata: {
+              _reserved: true,
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+            elasticsearch: {
+              cluster: [],
+              indices: [],
+              run_as: [],
+            },
+            kibana: [
+              {
+                privileges: ['read'],
+              },
+              {
+                privileges: ['all'],
+              },
+            ],
+            _unrecognized_applications: [],
+          },
+        ],
+      },
+    });
+
+    getRolesTest(`excludes resources other than * from kibana privileges`, {
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application,
+              privileges: ['read'],
+              // Elasticsearch should prevent this from happening
+              resources: [],
+            },
+            {
+              application,
+              privileges: ['read'],
+              resources: ['default', '*'],
+            },
+            {
+              application,
+              privileges: ['read'],
+              resources: ['some-other-space'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: [
+          {
+            name: 'first_role',
+            metadata: {
+              _reserved: true,
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+            elasticsearch: {
+              cluster: [],
+              indices: [],
+              run_as: [],
+            },
+            kibana: [],
+            _unrecognized_applications: [],
+          },
+        ],
+      },
+    });
+
+    getRolesTest(`transforms unrecognized applications`, {
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application: 'kibana-.another-kibana',
+              privileges: ['read'],
+              resources: ['*'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: [
+          {
+            name: 'first_role',
+            metadata: {
+              _reserved: true,
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+            elasticsearch: {
+              cluster: [],
+              indices: [],
+              run_as: [],
+            },
+            kibana: [],
+            _unrecognized_applications: ['kibana-.another-kibana']
+          },
+        ],
+      },
+    });
+  });
+});
+
+describe('GET role', () => {
+  const getRoleTest = (
+    description,
+    {
+      name,
+      preCheckLicenseImpl = (request, reply) => reply(),
+      callWithRequestImpl,
+      asserts,
+    }
+  ) => {
+    test(description, async () => {
+      const mockServer = createMockServer();
+      const pre = jest.fn().mockImplementation(preCheckLicenseImpl);
+      const mockCallWithRequest = jest.fn();
+      if (callWithRequestImpl) {
+        mockCallWithRequest.mockImplementation(callWithRequestImpl);
+      }
+      initGetRolesApi(mockServer, mockCallWithRequest, pre, 'kibana-.kibana');
+      const headers = {
+        authorization: 'foo',
+      };
+
+      const request = {
+        method: 'GET',
+        url: `/api/security/role/${name}`,
+        headers,
+      };
+      const { result, statusCode } = await mockServer.inject(request);
+
+      expect(pre).toHaveBeenCalled();
+      if (callWithRequestImpl) {
+        expect(mockCallWithRequest).toHaveBeenCalledWith(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: headers.authorization,
+            }),
+          }),
+          'shield.getRole',
+          { name }
+        );
+      } else {
+        expect(mockCallWithRequest).not.toHaveBeenCalled();
+      }
+      expect(statusCode).toBe(asserts.statusCode);
+      expect(result).toEqual(asserts.result);
+    });
+  };
+
+  describe('failure', () => {
+    getRoleTest(`returns result of routePreCheckLicense`, {
+      preCheckLicenseImpl: (request, reply) =>
+        reply(Boom.forbidden('test forbidden message')),
+      asserts: {
+        statusCode: 403,
+        result: {
+          error: 'Forbidden',
+          statusCode: 403,
+          message: 'test forbidden message',
+        },
+      },
+    });
+
+    getRoleTest(`returns error from callWithRequest`, {
+      name: 'foo-role',
+      callWithRequestImpl: async () => {
+        throw Boom.notAcceptable('test not acceptable message');
+      },
+      asserts: {
+        statusCode: 406,
+        result: {
+          error: 'Not Acceptable',
+          statusCode: 406,
+          message: 'test not acceptable message',
+        },
+      },
+    });
+  });
+
+  describe('success', () => {
+    getRoleTest(`transforms elasticsearch privileges`, {
+      name: 'first_role',
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: ['manage_watcher'],
+          indices: [
+            {
+              names: ['.kibana*'],
+              privileges: ['read', 'view_index_metadata'],
+            },
+          ],
+          applications: [],
+          run_as: ['other_user'],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: {
+          name: 'first_role',
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+          elasticsearch: {
+            cluster: ['manage_watcher'],
+            indices: [
+              {
+                names: ['.kibana*'],
+                privileges: ['read', 'view_index_metadata'],
+              },
+            ],
+            run_as: ['other_user'],
+          },
+          kibana: [],
+          _unrecognized_applications: [],
+        },
+      },
+    });
+
+    getRoleTest(`transforms matching applications to kibana privileges`, {
+      name: 'first_role',
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application,
+              privileges: ['read'],
+              resources: ['*'],
+            },
+            {
+              application,
+              privileges: ['all'],
+              resources: ['*'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: {
+          name: 'first_role',
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+          elasticsearch: {
+            cluster: [],
+            indices: [],
+            run_as: [],
+          },
+          kibana: [
+            {
+              privileges: ['read'],
+            },
+            {
+              privileges: ['all'],
+            },
+          ],
+          _unrecognized_applications: [],
+        },
+      },
+    });
+
+    getRoleTest(`excludes resources other than * from kibana privileges`, {
+      name: 'first_role',
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application,
+              privileges: ['read'],
+              // Elasticsearch should prevent this from happening
+              resources: [],
+            },
+            {
+              application,
+              privileges: ['read'],
+              resources: ['default', '*'],
+            },
+            {
+              application,
+              privileges: ['read'],
+              resources: ['some-other-space'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: {
+          name: 'first_role',
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+          elasticsearch: {
+            cluster: [],
+            indices: [],
+            run_as: [],
+          },
+          kibana: [],
+          _unrecognized_applications: [],
+        },
+      },
+    });
+
+    getRoleTest(`transforms unrecognized applications`, {
+      name: 'first_role',
+      callWithRequestImpl: async () => ({
+        first_role: {
+          cluster: [],
+          indices: [],
+          applications: [
+            {
+              application: 'kibana-.another-kibana',
+              privileges: ['read'],
+              resources: ['*'],
+            },
+          ],
+          run_as: [],
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+        },
+      }),
+      asserts: {
+        statusCode: 200,
+        result: {
+          name: 'first_role',
+          metadata: {
+            _reserved: true,
+          },
+          transient_metadata: {
+            enabled: true,
+          },
+          elasticsearch: {
+            cluster: [],
+            indices: [],
+            run_as: [],
+          },
+          kibana: [],
+          _unrecognized_applications: ['kibana-.another-kibana'],
+        },
+      },
+    });
+  });
+});
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/index.js b/x-pack/plugins/security/server/routes/api/public/roles/index.js
new file mode 100644
index 00000000000000..5425af0a1202d3
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/index.js
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { buildPrivilegeMap } from '../../../../lib/authorization';
+import { getClient } from '../../../../../../../server/lib/get_client_shield';
+import { routePreCheckLicense } from '../../../../lib/route_pre_check_license';
+import { initGetRolesApi } from './get';
+import { initDeleteRolesApi } from './delete';
+import { initPutRolesApi } from './put';
+
+export function initPublicRolesApi(server) {
+  const callWithRequest = getClient(server).callWithRequest;
+  const routePreCheckLicenseFn = routePreCheckLicense(server);
+
+  const { application, actions } = server.plugins.security.authorization;
+  const savedObjectTypes = server.savedObjects.types;
+  const privilegeMap = buildPrivilegeMap(savedObjectTypes, application, actions);
+
+  initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn, application);
+  initPutRolesApi(server, callWithRequest, routePreCheckLicenseFn, privilegeMap, application);
+  initDeleteRolesApi(server, callWithRequest, routePreCheckLicenseFn);
+}
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/put.js b/x-pack/plugins/security/server/routes/api/public/roles/put.js
new file mode 100644
index 00000000000000..123ce128e15099
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/put.js
@@ -0,0 +1,110 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { pick, identity } from 'lodash';
+import Joi from 'joi';
+import { ALL_RESOURCE } from '../../../../../common/constants';
+import { wrapError } from '../../../../lib/errors';
+
+const transformKibanaPrivilegeToEs = (application, kibanaPrivilege) => {
+  return {
+    privileges: kibanaPrivilege.privileges,
+    application,
+    resources: [ALL_RESOURCE],
+  };
+};
+
+const transformRolesToEs = (
+  application,
+  payload,
+  existingApplications = []
+) => {
+  const { elasticsearch = {}, kibana = [] } = payload;
+  const otherApplications = existingApplications.filter(
+    roleApplication => roleApplication.application !== application
+  );
+
+  return pick({
+    metadata: payload.metadata,
+    cluster: elasticsearch.cluster || [],
+    indices: elasticsearch.indices || [],
+    run_as: elasticsearch.run_as || [],
+    applications: [
+      ...kibana.map(kibanaPrivilege =>
+        transformKibanaPrivilegeToEs(application, kibanaPrivilege)
+      ),
+      ...otherApplications,
+    ],
+  }, identity);
+};
+
+export function initPutRolesApi(
+  server,
+  callWithRequest,
+  routePreCheckLicenseFn,
+  privilegeMap,
+  application
+) {
+
+  const schema = Joi.object().keys({
+    metadata: Joi.object().optional(),
+    elasticsearch: Joi.object().keys({
+      cluster: Joi.array().items(Joi.string()),
+      indices: Joi.array().items({
+        names: Joi.array().items(Joi.string()),
+        field_security: Joi.object().keys({
+          grant: Joi.array().items(Joi.string()),
+          except: Joi.array().items(Joi.string()),
+        }),
+        privileges: Joi.array().items(Joi.string()),
+        query: Joi.string().allow(''),
+      }),
+      run_as: Joi.array().items(Joi.string()),
+    }),
+    kibana: Joi.array().items({
+      privileges: Joi.array().items(Joi.string().valid(Object.keys(privilegeMap))),
+    }),
+  });
+
+  server.route({
+    method: 'PUT',
+    path: '/api/security/role/{name}',
+    async handler(request, reply) {
+      const name = request.params.name;
+      try {
+        const existingRoleResponse = await callWithRequest(request, 'shield.getRole', {
+          name,
+          ignore: [404],
+        });
+
+        const body = transformRolesToEs(
+          application,
+          request.payload,
+          existingRoleResponse[name] ? existingRoleResponse[name].applications : []
+        );
+
+        await callWithRequest(request, 'shield.putRole', { name, body });
+        reply().code(204);
+      } catch (err) {
+        reply(wrapError(err));
+      }
+    },
+    config: {
+      validate: {
+        params: Joi.object()
+          .keys({
+            name: Joi.string()
+              .required()
+              .min(1)
+              .max(1024),
+          })
+          .required(),
+        payload: schema,
+      },
+      pre: [routePreCheckLicenseFn],
+    },
+  });
+}
diff --git a/x-pack/plugins/security/server/routes/api/public/roles/put.test.js b/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
new file mode 100644
index 00000000000000..d6c32ce00ac563
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/public/roles/put.test.js
@@ -0,0 +1,503 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Hapi from 'hapi';
+import Boom from 'boom';
+import { initPutRolesApi } from './put';
+import { ALL_RESOURCE } from '../../../../../common/constants';
+
+const application = 'kibana-.kibana';
+
+const createMockServer = () => {
+  const mockServer = new Hapi.Server({ debug: false });
+  mockServer.connection({ port: 8080 });
+  return mockServer;
+};
+
+const defaultPreCheckLicenseImpl = (request, reply) => reply();
+
+const privilegeMap = {
+  'test-kibana-privilege-1': {},
+  'test-kibana-privilege-2': {},
+  'test-kibana-privilege-3': {},
+};
+
+const putRoleTest = (
+  description,
+  { name, payload, preCheckLicenseImpl, callWithRequestImpls = [], asserts }
+) => {
+  test(description, async () => {
+    const mockServer = createMockServer();
+    const mockPreCheckLicense = jest
+      .fn()
+      .mockImplementation(preCheckLicenseImpl);
+    const mockCallWithRequest = jest.fn();
+    for (const impl of callWithRequestImpls) {
+      mockCallWithRequest.mockImplementationOnce(impl);
+    }
+    initPutRolesApi(
+      mockServer,
+      mockCallWithRequest,
+      mockPreCheckLicense,
+      privilegeMap,
+      application,
+    );
+    const headers = {
+      authorization: 'foo',
+    };
+
+    const request = {
+      method: 'PUT',
+      url: `/api/security/role/${name}`,
+      headers,
+      payload,
+    };
+    const { result, statusCode } = await mockServer.inject(request);
+
+    expect(result).toEqual(asserts.result);
+    expect(statusCode).toBe(asserts.statusCode);
+    if (preCheckLicenseImpl) {
+      expect(mockPreCheckLicense).toHaveBeenCalled();
+    } else {
+      expect(mockPreCheckLicense).not.toHaveBeenCalled();
+    }
+    if (asserts.callWithRequests) {
+      for (const args of asserts.callWithRequests) {
+        expect(mockCallWithRequest).toHaveBeenCalledWith(
+          expect.objectContaining({
+            headers: expect.objectContaining({
+              authorization: headers.authorization,
+            }),
+          }),
+          ...args
+        );
+      }
+    } else {
+      expect(mockCallWithRequest).not.toHaveBeenCalled();
+    }
+  });
+};
+
+describe('PUT role', () => {
+  describe('failure', () => {
+    putRoleTest(`requires name in params`, {
+      name: '',
+      payload: {},
+      asserts: {
+        statusCode: 404,
+        result: {
+          error: 'Not Found',
+          statusCode: 404,
+        },
+      },
+    });
+
+    putRoleTest(`requires name in params to not exceed 1024 characters`, {
+      name: 'a'.repeat(1025),
+      payload: {},
+      asserts: {
+        statusCode: 400,
+        result: {
+          error: 'Bad Request',
+          message: `child "name" fails because ["name" length must be less than or equal to 1024 characters long]`,
+          statusCode: 400,
+          validation: {
+            keys: ['name'],
+            source: 'params',
+          },
+        },
+      },
+    });
+
+    putRoleTest(`only allows known Kibana privileges`, {
+      name: 'foo-role',
+      payload: {
+        kibana: [
+          {
+            privileges: ['foo']
+          }
+        ]
+      },
+      asserts: {
+        statusCode: 400,
+        result: {
+          error: 'Bad Request',
+          //eslint-disable-next-line max-len
+          message: `child "kibana" fails because ["kibana" at position 0 fails because [child "privileges" fails because ["privileges" at position 0 fails because ["0" must be one of [test-kibana-privilege-1, test-kibana-privilege-2, test-kibana-privilege-3]]]]]`,
+          statusCode: 400,
+          validation: {
+            keys: ['kibana.0.privileges.0'],
+            source: 'payload',
+          },
+        },
+      },
+    });
+
+    putRoleTest(`returns result of routePreCheckLicense`, {
+      name: 'foo-role',
+      payload: {},
+      preCheckLicenseImpl: (request, reply) =>
+        reply(Boom.forbidden('test forbidden message')),
+      asserts: {
+        statusCode: 403,
+        result: {
+          error: 'Forbidden',
+          statusCode: 403,
+          message: 'test forbidden message',
+        },
+      },
+    });
+  });
+
+  describe('success', () => {
+    putRoleTest(`creates empty role`, {
+      name: 'foo-role',
+      payload: {},
+      preCheckLicenseImpl: defaultPreCheckLicenseImpl,
+      callWithRequestImpls: [async () => ({}), async () => {}],
+      asserts: {
+        callWithRequests: [
+          ['shield.getRole', { name: 'foo-role', ignore: [404] }],
+          [
+            'shield.putRole',
+            {
+              name: 'foo-role',
+              body: {
+                cluster: [],
+                indices: [],
+                run_as: [],
+                applications: [],
+              },
+            },
+          ],
+        ],
+        statusCode: 204,
+        result: null,
+      },
+    });
+
+    putRoleTest(`creates role with everything`, {
+      name: 'foo-role',
+      payload: {
+        metadata: {
+          foo: 'test-metadata',
+        },
+        elasticsearch: {
+          cluster: ['test-cluster-privilege'],
+          indices: [
+            {
+              field_security: {
+                grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
+                except: [ 'test-field-security-except-1', 'test-field-security-except-2' ]
+              },
+              names: ['test-index-name-1', 'test-index-name-2'],
+              privileges: ['test-index-privilege-1', 'test-index-privilege-2'],
+              query: `{ "match": { "title": "foo" } }`,
+            },
+          ],
+          run_as: ['test-run-as-1', 'test-run-as-2'],
+        },
+        kibana: [
+          {
+            privileges: ['test-kibana-privilege-1', 'test-kibana-privilege-2'],
+          },
+          {
+            privileges: ['test-kibana-privilege-3'],
+          },
+        ],
+      },
+      preCheckLicenseImpl: defaultPreCheckLicenseImpl,
+      callWithRequestImpls: [async () => ({}), async () => {}],
+      asserts: {
+        callWithRequests: [
+          ['shield.getRole', { name: 'foo-role', ignore: [404] }],
+          [
+            'shield.putRole',
+            {
+              name: 'foo-role',
+              body: {
+                applications: [
+                  {
+                    application,
+                    privileges: [
+                      'test-kibana-privilege-1',
+                      'test-kibana-privilege-2',
+                    ],
+                    resources: [ALL_RESOURCE],
+                  },
+                  {
+                    application,
+                    privileges: ['test-kibana-privilege-3'],
+                    resources: [ALL_RESOURCE],
+                  },
+                ],
+                cluster: ['test-cluster-privilege'],
+                indices: [
+                  {
+                    field_security: {
+                      grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
+                      except: [ 'test-field-security-except-1', 'test-field-security-except-2' ]
+                    },
+                    names: ['test-index-name-1', 'test-index-name-2'],
+                    privileges: [
+                      'test-index-privilege-1',
+                      'test-index-privilege-2',
+                    ],
+                    query: `{ "match": { "title": "foo" } }`,
+                  },
+                ],
+                metadata: { foo: 'test-metadata' },
+                run_as: ['test-run-as-1', 'test-run-as-2'],
+              },
+            },
+          ],
+        ],
+        statusCode: 204,
+        result: null,
+      },
+    });
+
+    putRoleTest(`updates role which has existing kibana privileges`, {
+      name: 'foo-role',
+      payload: {
+        metadata: {
+          foo: 'test-metadata',
+        },
+        elasticsearch: {
+          cluster: ['test-cluster-privilege'],
+          indices: [
+            {
+              field_security: {
+                grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
+                except: [ 'test-field-security-except-1', 'test-field-security-except-2' ]
+              },
+              names: ['test-index-name-1', 'test-index-name-2'],
+              privileges: ['test-index-privilege-1', 'test-index-privilege-2'],
+              query: `{ "match": { "title": "foo" } }`,
+            },
+          ],
+          run_as: ['test-run-as-1', 'test-run-as-2'],
+        },
+        kibana: [
+          {
+            privileges: ['test-kibana-privilege-1', 'test-kibana-privilege-2'],
+          },
+          {
+            privileges: ['test-kibana-privilege-3'],
+          },
+        ],
+      },
+      preCheckLicenseImpl: defaultPreCheckLicenseImpl,
+      callWithRequestImpls: [
+        async () => ({
+          'foo-role': {
+            metadata: {
+              bar: 'old-metadata',
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+            cluster: ['old-cluster-privilege'],
+            indices: [
+              {
+                field_security: {
+                  grant: ['old-field-security-grant-1', 'old-field-security-grant-2'],
+                  except: [ 'old-field-security-except-1', 'old-field-security-except-2' ]
+                },
+                names: ['old-index-name'],
+                privileges: ['old-privilege'],
+                query: `{ "match": { "old-title": "foo" } }`,
+              },
+            ],
+            run_as: ['old-run-as'],
+            applications: [
+              {
+                application,
+                privileges: ['old-kibana-privilege'],
+                resources: ['old-resource'],
+              },
+            ],
+          },
+        }),
+        async () => {},
+      ],
+      asserts: {
+        callWithRequests: [
+          ['shield.getRole', { name: 'foo-role', ignore: [404] }],
+          [
+            'shield.putRole',
+            {
+              name: 'foo-role',
+              body: {
+                applications: [
+                  {
+                    application,
+                    privileges: [
+                      'test-kibana-privilege-1',
+                      'test-kibana-privilege-2',
+                    ],
+                    resources: [ALL_RESOURCE],
+                  },
+                  {
+                    application,
+                    privileges: ['test-kibana-privilege-3'],
+                    resources: [ALL_RESOURCE],
+                  },
+                ],
+                cluster: ['test-cluster-privilege'],
+                indices: [
+                  {
+                    field_security: {
+                      grant: ['test-field-security-grant-1', 'test-field-security-grant-2'],
+                      except: [ 'test-field-security-except-1', 'test-field-security-except-2' ]
+                    },
+                    names: ['test-index-name-1', 'test-index-name-2'],
+                    privileges: [
+                      'test-index-privilege-1',
+                      'test-index-privilege-2',
+                    ],
+                    query: `{ "match": { "title": "foo" } }`,
+                  },
+                ],
+                metadata: { foo: 'test-metadata' },
+                run_as: ['test-run-as-1', 'test-run-as-2'],
+              },
+            },
+          ],
+        ],
+        statusCode: 204,
+        result: null,
+      },
+    });
+
+    putRoleTest(
+      `updates role which has existing other application privileges`,
+      {
+        name: 'foo-role',
+        payload: {
+          metadata: {
+            foo: 'test-metadata',
+          },
+          elasticsearch: {
+            cluster: ['test-cluster-privilege'],
+            indices: [
+              {
+                names: ['test-index-name-1', 'test-index-name-2'],
+                privileges: [
+                  'test-index-privilege-1',
+                  'test-index-privilege-2',
+                ],
+              },
+            ],
+            run_as: ['test-run-as-1', 'test-run-as-2'],
+          },
+          kibana: [
+            {
+              privileges: [
+                'test-kibana-privilege-1',
+                'test-kibana-privilege-2',
+              ],
+            },
+            {
+              privileges: ['test-kibana-privilege-3'],
+            },
+          ],
+        },
+        preCheckLicenseImpl: defaultPreCheckLicenseImpl,
+        callWithRequestImpls: [
+          async () => ({
+            'foo-role': {
+              metadata: {
+                bar: 'old-metadata',
+              },
+              transient_metadata: {
+                enabled: true,
+              },
+              cluster: ['old-cluster-privilege'],
+              indices: [
+                {
+                  names: ['old-index-name'],
+                  privileges: ['old-privilege'],
+                },
+              ],
+              run_as: ['old-run-as'],
+              applications: [
+                {
+                  application,
+                  privileges: ['old-kibana-privilege'],
+                  resources: ['old-resource'],
+                },
+                {
+                  application: 'logstash-foo',
+                  privileges: ['logstash-privilege'],
+                  resources: ['logstash-resource'],
+                },
+                {
+                  application: 'beats-foo',
+                  privileges: ['beats-privilege'],
+                  resources: ['beats-resource'],
+                },
+              ],
+            },
+          }),
+          async () => {},
+        ],
+        asserts: {
+          callWithRequests: [
+            ['shield.getRole', { name: 'foo-role', ignore: [404] }],
+            [
+              'shield.putRole',
+              {
+                name: 'foo-role',
+                body: {
+                  applications: [
+                    {
+                      application,
+                      privileges: [
+                        'test-kibana-privilege-1',
+                        'test-kibana-privilege-2',
+                      ],
+                      resources: [ALL_RESOURCE],
+                    },
+                    {
+                      application,
+                      privileges: ['test-kibana-privilege-3'],
+                      resources: [ALL_RESOURCE],
+                    },
+                    {
+                      application: 'logstash-foo',
+                      privileges: ['logstash-privilege'],
+                      resources: ['logstash-resource'],
+                    },
+                    {
+                      application: 'beats-foo',
+                      privileges: ['beats-privilege'],
+                      resources: ['beats-resource'],
+                    },
+                  ],
+                  cluster: ['test-cluster-privilege'],
+                  indices: [
+                    {
+                      names: ['test-index-name-1', 'test-index-name-2'],
+                      privileges: [
+                        'test-index-privilege-1',
+                        'test-index-privilege-2',
+                      ],
+                    },
+                  ],
+                  metadata: { foo: 'test-metadata' },
+                  run_as: ['test-run-as-1', 'test-run-as-2'],
+                },
+              },
+            ],
+          ],
+          statusCode: 204,
+          result: null,
+        },
+      }
+    );
+  });
+});
diff --git a/x-pack/plugins/security/server/routes/api/v1/__tests__/authenticate.js b/x-pack/plugins/security/server/routes/api/v1/__tests__/authenticate.js
index 0e4bcbf2f6a066..7604f4eff7b85d 100644
--- a/x-pack/plugins/security/server/routes/api/v1/__tests__/authenticate.js
+++ b/x-pack/plugins/security/server/routes/api/v1/__tests__/authenticate.js
@@ -15,6 +15,7 @@ import { AuthenticationResult } from '../../../../../server/lib/authentication/a
 import { BasicCredentials } from '../../../../../server/lib/authentication/providers/basic';
 import { initAuthenticateApi } from '../authenticate';
 import { DeauthenticationResult } from '../../../../lib/authentication/deauthentication_result';
+import { CHECK_PRIVILEGES_RESULT } from '../../../../lib/authorization';
 
 describe('Authentication routes', () => {
   let serverStub;
@@ -33,6 +34,7 @@ describe('Authentication routes', () => {
     let loginRoute;
     let request;
     let authenticateStub;
+    let checkPrivilegesWithRequestStub;
 
     beforeEach(() => {
       loginRoute = serverStub.route
@@ -48,6 +50,7 @@ describe('Authentication routes', () => {
       authenticateStub = serverStub.plugins.security.authenticate.withArgs(
         sinon.match(BasicCredentials.decorateRequest({ headers: {} }, 'user', 'password'))
       );
+      checkPrivilegesWithRequestStub = serverStub.plugins.security.authorization.checkPrivilegesWithRequest;
     });
 
     it('correctly defines route.', async () => {
@@ -124,18 +127,65 @@ describe('Authentication routes', () => {
       );
     });
 
-    it('returns user data if authentication succeed.', async () => {
-      const user = { username: 'user' };
-      authenticateStub.returns(
-        Promise.resolve(AuthenticationResult.succeeded(user))
-      );
+    describe('authentication succeeds', () => {
+      const getDeprecationMessage = username =>
+        `${username} relies on index privileges on the Kibana index. This is deprecated and will be removed in Kibana 7.0`;
 
-      await loginRoute.handler(request, replyStub);
+      it(`returns user data and doesn't log deprecation warning if checkPrivileges result is authorized.`, async () => {
+        const user = { username: 'user' };
+        authenticateStub.returns(
+          Promise.resolve(AuthenticationResult.succeeded(user))
+        );
+        const checkPrivilegesStub = sinon.stub().returns({ result: CHECK_PRIVILEGES_RESULT.AUTHORIZED });
+        checkPrivilegesWithRequestStub.returns(checkPrivilegesStub);
 
-      sinon.assert.notCalled(replyStub);
-      sinon.assert.calledOnce(replyStub.continue);
-      sinon.assert.calledWithExactly(replyStub.continue, { credentials: user });
+        await loginRoute.handler(request, replyStub);
+
+        sinon.assert.calledWithExactly(checkPrivilegesWithRequestStub, request);
+        sinon.assert.calledWithExactly(checkPrivilegesStub, [serverStub.plugins.security.authorization.actions.login]);
+        sinon.assert.neverCalledWith(serverStub.log, ['warning', 'deprecated', 'security'], getDeprecationMessage(user.username));
+        sinon.assert.notCalled(replyStub);
+        sinon.assert.calledOnce(replyStub.continue);
+        sinon.assert.calledWithExactly(replyStub.continue, { credentials: user });
+      });
+
+      it(`returns user data and logs deprecation warning if checkPrivileges result is legacy.`, async () => {
+        const user = { username: 'user' };
+        authenticateStub.returns(
+          Promise.resolve(AuthenticationResult.succeeded(user))
+        );
+        const checkPrivilegesStub = sinon.stub().returns({ result: CHECK_PRIVILEGES_RESULT.LEGACY });
+        checkPrivilegesWithRequestStub.returns(checkPrivilegesStub);
+
+        await loginRoute.handler(request, replyStub);
+
+        sinon.assert.calledWithExactly(checkPrivilegesWithRequestStub, request);
+        sinon.assert.calledWithExactly(checkPrivilegesStub, [serverStub.plugins.security.authorization.actions.login]);
+        sinon.assert.calledWith(serverStub.log, ['warning', 'deprecated', 'security'], getDeprecationMessage(user.username));
+        sinon.assert.notCalled(replyStub);
+        sinon.assert.calledOnce(replyStub.continue);
+        sinon.assert.calledWithExactly(replyStub.continue, { credentials: user });
+      });
+
+      it(`returns user data and doesn't log deprecation warning if checkPrivileges result is unauthorized.`, async () => {
+        const user = { username: 'user' };
+        authenticateStub.returns(
+          Promise.resolve(AuthenticationResult.succeeded(user))
+        );
+        const checkPrivilegesStub = sinon.stub().returns({ result: CHECK_PRIVILEGES_RESULT.UNAUTHORIZED });
+        checkPrivilegesWithRequestStub.returns(checkPrivilegesStub);
+
+        await loginRoute.handler(request, replyStub);
+
+        sinon.assert.calledWithExactly(checkPrivilegesWithRequestStub, request);
+        sinon.assert.calledWithExactly(checkPrivilegesStub, [serverStub.plugins.security.authorization.actions.login]);
+        sinon.assert.neverCalledWith(serverStub.log, ['warning', 'deprecated', 'security'], getDeprecationMessage(user.username));
+        sinon.assert.notCalled(replyStub);
+        sinon.assert.calledOnce(replyStub.continue);
+        sinon.assert.calledWithExactly(replyStub.continue, { credentials: user });
+      });
     });
+
   });
 
   describe('logout', () => {
diff --git a/x-pack/plugins/security/server/routes/api/v1/authenticate.js b/x-pack/plugins/security/server/routes/api/v1/authenticate.js
index 9697774bfe8919..4b5d847b724b21 100644
--- a/x-pack/plugins/security/server/routes/api/v1/authenticate.js
+++ b/x-pack/plugins/security/server/routes/api/v1/authenticate.js
@@ -9,8 +9,10 @@ import Joi from 'joi';
 import { wrapError } from '../../../lib/errors';
 import { BasicCredentials } from '../../../../server/lib/authentication/providers/basic';
 import { canRedirectRequest } from '../../../lib/can_redirect_request';
+import { CHECK_PRIVILEGES_RESULT } from '../../../../server/lib/authorization';
 
 export function initAuthenticateApi(server) {
+
   server.route({
     method: 'POST',
     path: '/api/security/v1/login',
@@ -35,6 +37,14 @@ export function initAuthenticateApi(server) {
           return reply(Boom.unauthorized(authenticationResult.error));
         }
 
+        const { authorization } = server.plugins.security;
+        const checkPrivileges = authorization.checkPrivilegesWithRequest(request);
+        const privilegeCheck = await checkPrivileges([authorization.actions.login]);
+        if (privilegeCheck.result === CHECK_PRIVILEGES_RESULT.LEGACY) {
+          const msg = `${username} relies on index privileges on the Kibana index. This is deprecated and will be removed in Kibana 7.0`;
+          server.log(['warning', 'deprecated', 'security'], msg);
+        }
+
         return reply.continue({ credentials: authenticationResult.user });
       } catch(err) {
         return reply(wrapError(err));
diff --git a/x-pack/plugins/security/server/routes/api/v1/privileges.js b/x-pack/plugins/security/server/routes/api/v1/privileges.js
new file mode 100644
index 00000000000000..4bf1b2c5cc7a5e
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/api/v1/privileges.js
@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { buildPrivilegeMap } from '../../../lib/authorization';
+
+export function initPrivilegesApi(server) {
+  const { authorization } = server.plugins.security;
+  const savedObjectTypes = server.savedObjects.types;
+
+  server.route({
+    method: 'GET',
+    path: '/api/security/v1/privileges',
+    handler(request, reply) {
+      // we're returning our representation of the privileges, as opposed to the ones that are stored
+      // in Elasticsearch because our current thinking is that we'll associate additional structure/metadata
+      // with our view of them to allow users to more efficiently edit privileges for roles, and serialize it
+      // into a different structure for enforcement within Elasticsearch
+      const privileges = buildPrivilegeMap(savedObjectTypes, authorization.application, authorization.actions);
+      reply(Object.values(privileges));
+    }
+  });
+}
diff --git a/x-pack/plugins/security/server/routes/api/v1/roles.js b/x-pack/plugins/security/server/routes/api/v1/roles.js
deleted file mode 100644
index 331d85bb58c50d..00000000000000
--- a/x-pack/plugins/security/server/routes/api/v1/roles.js
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-
-import _ from 'lodash';
-import Boom from 'boom';
-import { getClient } from '../../../../../../server/lib/get_client_shield';
-import { roleSchema } from '../../../lib/role_schema';
-import { wrapError } from '../../../lib/errors';
-import { routePreCheckLicense } from '../../../lib/route_pre_check_license';
-
-export function initRolesApi(server) {
-  const callWithRequest = getClient(server).callWithRequest;
-  const routePreCheckLicenseFn = routePreCheckLicense(server);
-
-  server.route({
-    method: 'GET',
-    path: '/api/security/v1/roles',
-    handler(request, reply) {
-      return callWithRequest(request, 'shield.getRole').then(
-        (response) => {
-          const roles = _.map(response, (role, name) => _.assign(role, { name }));
-          return reply(roles);
-        },
-        _.flow(wrapError, reply)
-      );
-    },
-    config: {
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-
-  server.route({
-    method: 'GET',
-    path: '/api/security/v1/roles/{name}',
-    handler(request, reply) {
-      const name = request.params.name;
-      return callWithRequest(request, 'shield.getRole', { name }).then(
-        (response) => {
-          if (response[name]) return reply(_.assign(response[name], { name }));
-          return reply(Boom.notFound());
-        },
-        _.flow(wrapError, reply));
-    },
-    config: {
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-
-  server.route({
-    method: 'POST',
-    path: '/api/security/v1/roles/{name}',
-    handler(request, reply) {
-      const name = request.params.name;
-      const body = _.omit(request.payload, 'name');
-      return callWithRequest(request, 'shield.putRole', { name, body }).then(
-        () => reply(request.payload),
-        _.flow(wrapError, reply));
-    },
-    config: {
-      validate: {
-        payload: roleSchema
-      },
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-
-  server.route({
-    method: 'DELETE',
-    path: '/api/security/v1/roles/{name}',
-    handler(request, reply) {
-      const name = request.params.name;
-      return callWithRequest(request, 'shield.deleteRole', { name }).then(
-        () => reply().code(204),
-        _.flow(wrapError, reply));
-    },
-    config: {
-      pre: [routePreCheckLicenseFn]
-    }
-  });
-}
diff --git a/x-pack/plugins/xpack_main/server/lib/__tests__/xpack_info.js b/x-pack/plugins/xpack_main/server/lib/__tests__/xpack_info.js
index 4d896268d4d8a2..260b86d03f17a2 100644
--- a/x-pack/plugins/xpack_main/server/lib/__tests__/xpack_info.js
+++ b/x-pack/plugins/xpack_main/server/lib/__tests__/xpack_info.js
@@ -67,7 +67,7 @@ describe('XPackInfo', () => {
 
     mockServer = sinon.stub({
       plugins: { elasticsearch: mockElasticsearchPlugin },
-      log() {}
+      log() { }
     });
   });
 
@@ -151,9 +151,9 @@ describe('XPackInfo', () => {
       expect(xPackInfo.unavailableReason()).to.be(randomError);
       sinon.assert.calledWithExactly(
         mockServer.log,
-        [ 'license', 'warning', 'xpack' ],
+        ['license', 'warning', 'xpack'],
         `License information from the X-Pack plugin could not be obtained from Elasticsearch` +
-          ` for the [data] cluster. ${randomError}`
+        ` for the [data] cluster. ${randomError}`
       );
 
       const badRequestError = new Error('Bad request');
@@ -168,9 +168,9 @@ describe('XPackInfo', () => {
       );
       sinon.assert.calledWithExactly(
         mockServer.log,
-        [ 'license', 'warning', 'xpack' ],
+        ['license', 'warning', 'xpack'],
         `License information from the X-Pack plugin could not be obtained from Elasticsearch` +
-          ` for the [data] cluster. ${badRequestError}`
+        ` for the [data] cluster. ${badRequestError}`
       );
 
       mockElasticsearchCluster.callWithInternalUser.returns(getMockXPackInfoAPIResponse());
diff --git a/x-pack/plugins/xpack_main/server/lib/xpack_info.js b/x-pack/plugins/xpack_main/server/lib/xpack_info.js
index 3a8d00904885e1..39766c0ac8156c 100644
--- a/x-pack/plugins/xpack_main/server/lib/xpack_info.js
+++ b/x-pack/plugins/xpack_main/server/lib/xpack_info.js
@@ -36,6 +36,7 @@ export class XPackInfo {
    */
   _licenseInfoChangedListeners = new Set();
 
+
   /**
    * Cache that may contain last xpack info API response or error, json representation
    * of xpack info and xpack info signature.
@@ -150,7 +151,7 @@ export class XPackInfo {
         this._log(
           ['license', 'info', 'xpack'],
           `Imported ${this._cache.response ? 'changed ' : ''}license information` +
-            ` from Elasticsearch for the [${this._clusterSource}] cluster: ${licenseInfo}`
+          ` from Elasticsearch for the [${this._clusterSource}] cluster: ${licenseInfo}`
         );
       }
 
@@ -165,9 +166,9 @@ export class XPackInfo {
 
     } catch(error) {
       this._log(
-        [ 'license', 'warning', 'xpack' ],
+        ['license', 'warning', 'xpack'],
         `License information from the X-Pack plugin could not be obtained from Elasticsearch` +
-          ` for the [${this._clusterSource}] cluster. ${error}`
+        ` for the [${this._clusterSource}] cluster. ${error}`
       );
 
       this._cache = { error };
diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js
index 112826a0919e0d..0658878996ec2e 100644
--- a/x-pack/scripts/functional_tests.js
+++ b/x-pack/scripts/functional_tests.js
@@ -14,4 +14,5 @@ require('@kbn/test').runTestsCli([
   require.resolve('../test/functional/config.js'),
   require.resolve('../test/api_integration/config.js'),
   require.resolve('../test/saml_api_integration/config.js'),
+  require.resolve('../test/rbac_api_integration/config.js'),
 ]);
diff --git a/x-pack/server/lib/esjs_shield_plugin.js b/x-pack/server/lib/esjs_shield_plugin.js
index f4e5cf17329293..016ade902029c5 100644
--- a/x-pack/server/lib/esjs_shield_plugin.js
+++ b/x-pack/server/lib/esjs_shield_plugin.js
@@ -361,5 +361,36 @@
         fmt: '/_xpack/security/oauth2/token'
       }
     });
+
+    shield.getPrivilege = ca({
+      method: 'GET',
+      urls: [{
+        fmt: '/_xpack/security/privilege/<%=privilege%>',
+        req: {
+          privilege: {
+            type: 'string',
+            required: false
+          }
+        }
+      }, {
+        fmt: '/_xpack/security/privilege'
+      }]
+    });
+
+    shield.postPrivileges = ca({
+      method: 'POST',
+      needBody: true,
+      url: {
+        fmt: '/_xpack/security/privilege'
+      }
+    });
+
+    shield.hasPrivileges = ca({
+      method: 'POST',
+      needBody: true,
+      url: {
+        fmt: '/_xpack/security/user/_has_privileges'
+      }
+    });
   };
 }));
diff --git a/x-pack/test/api_integration/apis/security/index.js b/x-pack/test/api_integration/apis/security/index.js
index 08d020da311f48..ff3e5b33e832b7 100644
--- a/x-pack/test/api_integration/apis/security/index.js
+++ b/x-pack/test/api_integration/apis/security/index.js
@@ -7,5 +7,6 @@
 export default function ({ loadTestFile }) {
   describe('security', () => {
     loadTestFile(require.resolve('./basic_login'));
+    loadTestFile(require.resolve('./roles'));
   });
 }
diff --git a/x-pack/test/api_integration/apis/security/roles.js b/x-pack/test/api_integration/apis/security/roles.js
new file mode 100644
index 00000000000000..f77ea88bde2c8a
--- /dev/null
+++ b/x-pack/test/api_integration/apis/security/roles.js
@@ -0,0 +1,221 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+
+export default function ({ getService }) {
+  const es = getService('es');
+  const supertest = getService('supertest');
+
+  describe('Roles', () => {
+    describe('Create Role', () => {
+      it('should allow us to create an empty role', async () => {
+        await supertest.put('/api/security/role/empty_role')
+          .set('kbn-xsrf', 'xxx')
+          .send({})
+          .expect(204);
+      });
+
+      it('should create a role with kibana and elasticsearch privileges', async () => {
+        await supertest.put('/api/security/role/role_with_privileges')
+          .set('kbn-xsrf', 'xxx')
+          .send({
+            metadata: {
+              foo: 'test-metadata',
+            },
+            elasticsearch: {
+              cluster: ['manage'],
+              indices: [
+                {
+                  field_security: {
+                    grant: ['*'],
+                    except: [ 'geo.*' ]
+                  },
+                  names: ['logstash-*'],
+                  privileges: ['read', 'view_index_metadata'],
+                  query: `{ "match": { "geo.src": "CN" } }`,
+                },
+              ],
+              run_as: ['watcher_user'],
+            },
+            kibana: [
+              {
+                privileges: ['all'],
+              },
+              {
+                privileges: ['read'],
+              },
+            ],
+          })
+          .expect(204);
+
+        const role = await es.shield.getRole({ name: 'role_with_privileges' });
+        expect(role).to.eql({
+          role_with_privileges: {
+            cluster: ['manage'],
+            indices: [
+              {
+                names: ['logstash-*'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: {
+                  grant: ['*'],
+                  except: [ 'geo.*' ]
+                },
+                query: `{ "match": { "geo.src": "CN" } }`,
+              },
+            ],
+            applications: [
+              {
+                application: 'kibana-.kibana',
+                privileges: ['all'],
+                resources: ['*'],
+              },
+              {
+                application: 'kibana-.kibana',
+                privileges: ['read'],
+                resources: ['*'],
+              }
+            ],
+            run_as: ['watcher_user'],
+            metadata: {
+              foo: 'test-metadata',
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+          }
+        });
+      });
+    });
+
+    describe('Update Role', () => {
+      it('should update a role with elasticsearch, kibana and other applications privileges', async () => {
+        await es.shield.putRole({
+          name: 'role_to_update',
+          body: {
+            cluster: ['monitor'],
+            indices: [
+              {
+                names: ['beats-*'],
+                privileges: ['write'],
+                field_security: {
+                  grant: [ 'request.*' ],
+                  except: [ 'response.*' ]
+                },
+                query: `{ "match": { "host.name": "localhost" } }`,
+              },
+            ],
+            applications: [
+              {
+                application: 'kibana-.kibana',
+                privileges: ['read'],
+                resources: ['*'],
+              },
+              {
+                application: 'logstash-default',
+                privileges: ['logstash-privilege'],
+                resources: ['*'],
+              },
+            ],
+            run_as: ['reporting_user'],
+            metadata: {
+              bar: 'old-metadata',
+            },
+          }
+        });
+
+        await supertest.put('/api/security/role/role_to_update')
+          .set('kbn-xsrf', 'xxx')
+          .send({
+            metadata: {
+              foo: 'test-metadata',
+            },
+            elasticsearch: {
+              cluster: ['manage'],
+              indices: [
+                {
+                  field_security: {
+                    grant: ['*'],
+                    except: [ 'geo.*' ]
+                  },
+                  names: ['logstash-*'],
+                  privileges: ['read', 'view_index_metadata'],
+                  query: `{ "match": { "geo.src": "CN" } }`,
+                },
+              ],
+              run_as: ['watcher_user'],
+            },
+            kibana: [
+              {
+                privileges: ['all'],
+              },
+              {
+                privileges: ['read'],
+              },
+            ],
+          })
+          .expect(204);
+
+        const role = await es.shield.getRole({ name: 'role_to_update' });
+        expect(role).to.eql({
+          role_to_update: {
+            cluster: ['manage'],
+            indices: [
+              {
+                names: ['logstash-*'],
+                privileges: ['read', 'view_index_metadata'],
+                field_security: {
+                  grant: ['*'],
+                  except: [ 'geo.*' ]
+                },
+                query: `{ "match": { "geo.src": "CN" } }`,
+              },
+            ],
+            applications: [
+              {
+                application: 'kibana-.kibana',
+                privileges: ['all'],
+                resources: ['*'],
+              },
+              {
+                application: 'kibana-.kibana',
+                privileges: ['read'],
+                resources: ['*'],
+              },
+              {
+                application: 'logstash-default',
+                privileges: ['logstash-privilege'],
+                resources: ['*'],
+              },
+            ],
+            run_as: ['watcher_user'],
+            metadata: {
+              foo: 'test-metadata',
+            },
+            transient_metadata: {
+              enabled: true,
+            },
+          }
+        });
+      });
+    });
+
+    describe('Delete Role', () => {
+      it('should delete the three roles we created', async () => {
+        await supertest.delete('/api/security/role/empty_role').set('kbn-xsrf', 'xxx').expect(204);
+        await supertest.delete('/api/security/role/role_with_privileges').set('kbn-xsrf', 'xxx').expect(204);
+        await supertest.delete('/api/security/role/role_to_update').set('kbn-xsrf', 'xxx').expect(204);
+
+        const emptyRole = await es.shield.getRole({ name: 'empty_role', ignore: [404] });
+        expect(emptyRole).to.eql({});
+        const roleWithPrivileges = await es.shield.getRole({ name: 'role_with_privileges', ignore: [404] });
+        expect(roleWithPrivileges).to.eql({});
+        const roleToUpdate = await es.shield.getRole({ name: 'role_to_update', ignore: [404] });
+        expect(roleToUpdate).to.eql({});
+      });
+    });
+  });
+}
diff --git a/x-pack/test/api_integration/config.js b/x-pack/test/api_integration/config.js
index d380912d7c37e0..ee969a2348e7c3 100644
--- a/x-pack/test/api_integration/config.js
+++ b/x-pack/test/api_integration/config.js
@@ -5,6 +5,8 @@
  */
 
 import {
+  EsProvider,
+  EsSupertestWithoutAuthProvider,
   SupertestWithoutAuthProvider,
   UsageAPIProvider,
 } from './services';
@@ -23,7 +25,8 @@ export default async function ({ readConfigFile }) {
       supertest: kibanaAPITestsConfig.get('services.supertest'),
       esSupertest: kibanaAPITestsConfig.get('services.esSupertest'),
       supertestWithoutAuth: SupertestWithoutAuthProvider,
-      es: kibanaCommonConfig.get('services.es'),
+      esSupertestWithoutAuth: EsSupertestWithoutAuthProvider,
+      es: EsProvider,
       esArchiver: kibanaCommonConfig.get('services.esArchiver'),
       usageAPI: UsageAPIProvider,
       kibanaServer: kibanaCommonConfig.get('services.kibanaServer'),
diff --git a/x-pack/test/api_integration/services/es.js b/x-pack/test/api_integration/services/es.js
new file mode 100644
index 00000000000000..420541fa7ec5f6
--- /dev/null
+++ b/x-pack/test/api_integration/services/es.js
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { format as formatUrl } from 'url';
+
+import elasticsearch from 'elasticsearch';
+import shieldPlugin from '../../../server/lib/esjs_shield_plugin';
+
+export function EsProvider({ getService }) {
+  const config = getService('config');
+
+  return new elasticsearch.Client({
+    host: formatUrl(config.get('servers.elasticsearch')),
+    requestTimeout: config.get('timeouts.esRequestTimeout'),
+    plugins: [shieldPlugin]
+  });
+}
diff --git a/x-pack/test/api_integration/services/es_supertest_without_auth.js b/x-pack/test/api_integration/services/es_supertest_without_auth.js
new file mode 100644
index 00000000000000..7f0f051bbdfbb7
--- /dev/null
+++ b/x-pack/test/api_integration/services/es_supertest_without_auth.js
@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { format as formatUrl } from 'url';
+
+import supertestAsPromised from 'supertest-as-promised';
+
+/**
+ * Supertest provider that doesn't include user credentials into base URL that is passed
+ * to the supertest.
+ */
+export function EsSupertestWithoutAuthProvider({ getService }) {
+  const config = getService('config');
+  const elasticsearchServerConfig = config.get('servers.elasticsearch');
+
+  return supertestAsPromised(formatUrl({
+    ...elasticsearchServerConfig,
+    auth: false
+  }));
+}
diff --git a/x-pack/test/api_integration/services/index.js b/x-pack/test/api_integration/services/index.js
index 52ec6ba95586af..2ae5ceef22496f 100644
--- a/x-pack/test/api_integration/services/index.js
+++ b/x-pack/test/api_integration/services/index.js
@@ -4,5 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+export { EsProvider } from './es';
+export { EsSupertestWithoutAuthProvider } from './es_supertest_without_auth';
 export { SupertestWithoutAuthProvider } from './supertest_without_auth';
 export { UsageAPIProvider } from './usage_api';
diff --git a/x-pack/test/functional/apps/monitoring/elasticsearch/shards.js b/x-pack/test/functional/apps/monitoring/elasticsearch/shards.js
index e2557bf4b4de13..ea5fd1ad227303 100644
--- a/x-pack/test/functional/apps/monitoring/elasticsearch/shards.js
+++ b/x-pack/test/functional/apps/monitoring/elasticsearch/shards.js
@@ -33,6 +33,8 @@ export default function ({ getService, getPageObjects }) {
         // start on cluster overview
         await PageObjects.monitoring.clickBreadcrumb('breadcrumbClusters');
 
+        await PageObjects.header.waitUntilLoadingHasFinished();
+
         // go to nodes listing
         await overview.clickEsNodes();
         expect(await nodesList.isOnListing()).to.be(true);
diff --git a/x-pack/test/functional/apps/security/index.js b/x-pack/test/functional/apps/security/index.js
index 6ce78db910e3b3..7e3a1b2b813d51 100644
--- a/x-pack/test/functional/apps/security/index.js
+++ b/x-pack/test/functional/apps/security/index.js
@@ -12,5 +12,6 @@ export default function ({ loadTestFile }) {
     loadTestFile(require.resolve('./users'));
     loadTestFile(require.resolve('./secure_roles_perm'));
     loadTestFile(require.resolve('./field_level_security'));
+    loadTestFile(require.resolve('./rbac_phase1'));
   });
 }
diff --git a/x-pack/test/functional/apps/security/rbac_phase1.js b/x-pack/test/functional/apps/security/rbac_phase1.js
new file mode 100644
index 00000000000000..e1ede796e13858
--- /dev/null
+++ b/x-pack/test/functional/apps/security/rbac_phase1.js
@@ -0,0 +1,124 @@
+/*
+* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+* or more contributor license agreements. Licensed under the Elastic License;
+* you may not use this file except in compliance with the Elastic License.
+*/
+
+import expect from 'expect.js';
+import { indexBy } from 'lodash';
+export default function ({ getService, getPageObjects }) {
+
+  const PageObjects = getPageObjects(['security', 'settings', 'common', 'visualize', 'header']);
+  const log = getService('log');
+  const esArchiver = getService('esArchiver');
+  const remote = getService('remote');
+  const kibanaServer = getService('kibanaServer');
+
+  describe.skip('rbac ', async function () {
+    before(async () => {
+      await remote.setWindowSize(1600, 1000);
+      log.debug('users');
+      await esArchiver.loadIfNeeded('logstash_functional');
+      log.debug('load kibana index with default index pattern');
+      await esArchiver.load('discover');
+      await kibanaServer.uiSettings.replace({ 'dateFormat:tz': 'UTC', 'defaultIndex': 'logstash-*' });
+      await PageObjects.settings.navigateTo();
+      await PageObjects.security.clickElasticsearchRoles();
+      await PageObjects.security.addRole('rbac_all', {
+        "kibana": ["all"],
+        "indices": [{
+          "names": [ "logstash-*" ],
+          "privileges": [ "read", "view_index_metadata" ]
+        }]
+      });
+
+      await PageObjects.security.clickElasticsearchRoles();
+      await PageObjects.security.addRole('rbac_read', {
+        "kibana": ["read"],
+        "indices": [{
+          "names": [ "logstash-*" ],
+          "privileges": [ "read", "view_index_metadata" ]
+        }]
+      });
+      await PageObjects.security.clickElasticsearchUsers();
+      log.debug('After Add user new: , userObj.userName');
+      await PageObjects.security.addUser({ username: 'kibanauser', password: 'changeme',
+        confirmPassword: 'changeme', fullname: 'kibanafirst kibanalast',
+        email: 'kibanauser@myEmail.com', save: true,
+        roles: ['rbac_all'] });
+      log.debug('After Add user: , userObj.userName');
+      const users = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
+      log.debug('actualUsers = %j', users);
+      log.debug('roles: ', users.kibanauser.roles);
+      expect(users.kibanauser.roles).to.eql(['rbac_all']);
+      expect(users.kibanauser.fullname).to.eql('kibanafirst kibanalast');
+      expect(users.kibanauser.reserved).to.be(false);
+      await PageObjects.security.clickElasticsearchUsers();
+      log.debug('After Add user new: , userObj.userName');
+      await PageObjects.security.addUser({ username: 'kibanareadonly', password: 'changeme',
+        confirmPassword: 'changeme', fullname: 'kibanareadonlyFirst kibanareadonlyLast',
+        email: 'kibanareadonly@myEmail.com', save: true,
+        roles: ['rbac_read'] });
+      log.debug('After Add user: , userObj.userName');
+      const users1 = indexBy(await PageObjects.security.getElasticsearchUsers(), 'username');
+      const user = users1.kibanareadonly;
+      log.debug('actualUsers = %j', users1);
+      log.debug('roles: ', user.roles);
+      expect(user.roles).to.eql(['rbac_read']);
+      expect(user.fullname).to.eql('kibanareadonlyFirst kibanareadonlyLast');
+      expect(user.reserved).to.be(false);
+      await PageObjects.security.logout();
+    });
+
+
+    //   this is to acertain that all role assigned to the user can perform actions like creating a Visualization
+    it('rbac all role can save a visualization', async function () {
+      const fromTime = '2015-09-19 06:31:44.000';
+      const toTime = '2015-09-23 18:31:44.000';
+      const vizName1 = 'Visualization VerticalBarChart';
+
+      log.debug('navigateToApp visualize');
+      await PageObjects.security.login('kibanauser', 'changeme');
+      await PageObjects.common.navigateToUrl('visualize', 'new');
+      log.debug('clickVerticalBarChart');
+      await PageObjects.visualize.clickVerticalBarChart();
+      await PageObjects.visualize.clickNewSearch();
+      log.debug('Set absolute time range from \"' + fromTime + '\" to \"' + toTime + '\"');
+      await PageObjects.header.setAbsoluteRange(fromTime, toTime);
+      await PageObjects.visualize.clickGo();
+      await PageObjects.header.waitUntilLoadingHasFinished();
+      await PageObjects.visualize.waitForVisualization();
+      const success = await PageObjects.visualize.saveVisualization(vizName1);
+      expect(success).to.be(true);
+      await PageObjects.security.logout();
+
+    });
+
+    it('rbac read only role can not  save a visualization', async function () {
+      const fromTime = '2015-09-19 06:31:44.000';
+      const toTime = '2015-09-23 18:31:44.000';
+      const vizName1 = 'Viz VerticalBarChart';
+
+      log.debug('navigateToApp visualize');
+      await PageObjects.security.login('kibanareadonly', 'changeme');
+      await PageObjects.common.navigateToUrl('visualize', 'new');
+      log.debug('clickVerticalBarChart');
+      await PageObjects.visualize.clickVerticalBarChart();
+      await PageObjects.visualize.clickNewSearch();
+      log.debug('Set absolute time range from \"' + fromTime + '\" to \"' + toTime + '\"');
+      await PageObjects.header.setAbsoluteRange(fromTime, toTime);
+      await PageObjects.visualize.clickGo();
+      await PageObjects.header.waitUntilLoadingHasFinished();
+      await PageObjects.visualize.waitForVisualization();
+      const success = await PageObjects.visualize.saveVisualization(vizName1);
+      expect(success).to.be(false);
+      await PageObjects.security.logout();
+
+    });
+
+    after(async function () {
+      await PageObjects.security.logout();
+    });
+
+  });
+}
diff --git a/x-pack/test/functional/apps/security/secure_roles_perm.js b/x-pack/test/functional/apps/security/secure_roles_perm.js
index fd64431b3ca7fe..5a693e74b9327a 100644
--- a/x-pack/test/functional/apps/security/secure_roles_perm.js
+++ b/x-pack/test/functional/apps/security/secure_roles_perm.js
@@ -18,7 +18,7 @@ export default function ({ getService, getPageObjects }) {
 
 
 
-  describe('security', function () {
+  describe('secure roles and permissions', function () {
     before(async () => {
       await remote.setWindowSize(1600, 1000);
       log.debug('users');
diff --git a/x-pack/test/functional/page_objects/security_page.js b/x-pack/test/functional/page_objects/security_page.js
index 61ebe75492ab56..12b6c9429ba618 100644
--- a/x-pack/test/functional/page_objects/security_page.js
+++ b/x-pack/test/functional/page_objects/security_page.js
@@ -176,18 +176,13 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
         const fullnameElement = await user.findByCssSelector('[data-test-subj="userRowFullName"]');
         const usernameElement = await user.findByCssSelector('[data-test-subj="userRowUserName"]');
         const rolesElement = await user.findByCssSelector('[data-test-subj="userRowRoles"]');
-        let reserved = false;
-        try {
-          reserved = !!(await user.findByCssSelector('[data-test-subj="reservedUser"]'));
-        } catch(e) {
-          //ignoring, just means user is not reserved
-        }
+        const isReservedElementVisible =  await user.findByCssSelector('td:last-child');
 
         return {
           username: await usernameElement.getVisibleText(),
           fullname: await fullnameElement.getVisibleText(),
           roles: (await rolesElement.getVisibleText()).split(',').map(role => role.trim()),
-          reserved
+          reserved: (await isReservedElementVisible.getProperty('innerHTML')).includes('reservedUser')
         };
       });
     }
@@ -258,6 +253,31 @@ export function SecurityPageProvider({ getService, getPageObjects }) {
             return testSubjects.setValue('queryInput0', userObj.indices[0].query);
           }
         })
+
+        //KibanaPriv
+        .then(function () {
+
+          function addKibanaPriv(priv) {
+
+            return priv.reduce(function (promise, privName) {
+              // We have to use non-test-subject selectors because this markup is generated by ui-select.
+              return promise
+
+                .then(function () {
+                  log.debug('priv item = ' + privName);
+                  remote.setFindTimeout(defaultFindTimeout)
+                    .findByCssSelector(`[data-test-subj="kibanaPrivileges-${privName}"]`)
+                    .click();
+                })
+                .then(function () {
+                  return PageObjects.common.sleep(500);
+                });
+
+            }, Promise.resolve());
+          }
+          return userObj.kibana ? addKibanaPriv(userObj.kibana) : Promise.resolve();
+        })
+
         .then(function () {
 
           function addPriv(priv) {
diff --git a/x-pack/test/rbac_api_integration/apis/es/has_privileges.js b/x-pack/test/rbac_api_integration/apis/es/has_privileges.js
new file mode 100644
index 00000000000000..1e30eb774cc029
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/es/has_privileges.js
@@ -0,0 +1,140 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+
+const application = 'has_privileges_test';
+
+export default function ({ getService }) {
+
+  describe('has_privileges', () => {
+    before(async () => {
+      const es = getService('es');
+
+      await es.shield.postPrivileges({
+        body: {
+          [application]: {
+            read: {
+              application,
+              name: 'read',
+              actions: ['action:readAction1', 'action:readAction2'],
+              metadata: {},
+            }
+          }
+        }
+      });
+
+      await es.shield.putRole({
+        name: 'hp_read_user',
+        body: {
+          cluster: [],
+          index: [],
+          applications: [{
+            application,
+            privileges: ['read'],
+            resources: ['*']
+          }]
+        }
+      });
+
+      await es.shield.putUser({
+        username: 'testuser',
+        body: {
+          password: 'testpassword',
+          roles: ['hp_read_user'],
+          full_name: 'a kibana user',
+          email: 'a_kibana_rbac_user@elastic.co',
+        }
+      });
+    });
+
+    function createHasPrivilegesRequest(privileges) {
+      const supertest = getService('esSupertestWithoutAuth');
+      return supertest
+        .post(`/_xpack/security/user/_has_privileges`)
+        .auth('testuser', 'testpassword')
+        .send({
+          applications: [{
+            application,
+            privileges,
+            resources: ['*']
+          }]
+        })
+        .expect(200);
+    }
+
+    it('should return true when user has the requested privilege', async () => {
+      await createHasPrivilegesRequest(['read'])
+        .then(response => {
+          expect(response.body).to.eql({
+            username: 'testuser',
+            has_all_requested: true,
+            cluster: {},
+            index: {},
+            application: {
+              has_privileges_test: {
+                ['*']: {
+                  read: true
+                }
+              },
+            }
+          });
+        });
+    });
+
+    it('should return true when user has a newly created privilege', async () => {
+      // verify user does not have privilege yet
+      await createHasPrivilegesRequest(['action:a_new_privilege'])
+        .then(response => {
+          expect(response.body).to.eql({
+            username: 'testuser',
+            has_all_requested: false,
+            cluster: {},
+            index: {},
+            application: {
+              has_privileges_test: {
+                ['*']: {
+                  'action:a_new_privilege': false
+                }
+              },
+            }
+          });
+        });
+
+      // Create privilege
+      const es = getService('es');
+      await es.shield.postPrivileges({
+        body: {
+          [application]: {
+            read: {
+              application,
+              name: 'read',
+              actions: ['action:readAction1', 'action:readAction2', 'action:a_new_privilege'],
+              metadata: {},
+            }
+          }
+        }
+      });
+
+      // verify user has new privilege
+      await createHasPrivilegesRequest(['action:a_new_privilege'])
+        .then(response => {
+          expect(response.body).to.eql({
+            username: 'testuser',
+            has_all_requested: true,
+            cluster: {},
+            index: {},
+            application: {
+              has_privileges_test: {
+                ['*']: {
+                  'action:a_new_privilege': true
+                }
+              },
+            }
+          });
+        });
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/es/index.js b/x-pack/test/rbac_api_integration/apis/es/index.js
new file mode 100644
index 00000000000000..6317d6b93878fc
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/es/index.js
@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export default function ({ loadTestFile }) {
+  describe('rbac es', () => {
+    loadTestFile(require.resolve('./has_privileges'));
+    loadTestFile(require.resolve('./post_privileges'));
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/es/post_privileges.js b/x-pack/test/rbac_api_integration/apis/es/post_privileges.js
new file mode 100644
index 00000000000000..bf2266575d3b1f
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/es/post_privileges.js
@@ -0,0 +1,98 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+
+export default function ({ getService }) {
+
+  describe('post_privileges', () => {
+    it('should allow privileges to be updated', async () => {
+      const es = getService('es');
+      const application = 'foo';
+      const response = await es.shield.postPrivileges({
+        body: {
+          [application]: {
+            all: {
+              application,
+              name: 'all',
+              actions: ['action:*'],
+              metadata: {},
+            },
+            read: {
+              application,
+              name: 'read',
+              actions: ['action:readAction1', 'action:readAction2'],
+              metadata: {},
+            }
+          }
+        }
+      });
+
+      expect(response).to.eql({
+        foo: {
+          all: { created: true },
+          read: { created: true }
+        }
+      });
+
+
+      // Update privileges:
+      // 1. Not specifying the "all" privilege that we created above
+      // 2. Specifying a different collection of "read" actions
+      // 3. Adding a new "other" privilege
+      const updateResponse = await es.shield.postPrivileges({
+        body: {
+          [application]: {
+            read: {
+              application,
+              name: 'read',
+              actions: ['action:readAction1', 'action:readAction4'],
+              metadata: {}
+            },
+            other: {
+              application,
+              name: 'other',
+              actions: ['action:otherAction1'],
+              metadata: {},
+            }
+          }
+        }
+      });
+
+      expect(updateResponse).to.eql({
+        foo: {
+          other: { created: true },
+          read: { created: false }
+        }
+      });
+
+      const retrievedPrivilege = await es.shield.getPrivilege({ privilege: application });
+      expect(retrievedPrivilege).to.eql({
+        foo: {
+          // "all" is maintained even though the subsequent update did not specify this privilege
+          all: {
+            application,
+            name: 'all',
+            actions: ['action:*'],
+            metadata: {},
+          },
+          read: {
+            application,
+            name: 'read',
+            // actions should only contain what was present in the update. The original actions are not persisted or merged here.
+            actions: ['action:readAction1', 'action:readAction4'],
+            metadata: {},
+          },
+          other: {
+            application,
+            name: 'other',
+            actions: ['action:otherAction1'],
+            metadata: {},
+          }
+        }
+      });
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/index.js b/x-pack/test/rbac_api_integration/apis/index.js
new file mode 100644
index 00000000000000..cf26e2e7cf4d85
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/index.js
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export default function ({ loadTestFile }) {
+  describe('apis RBAC', () => {
+    loadTestFile(require.resolve('./es'));
+    loadTestFile(require.resolve('./privileges'));
+    loadTestFile(require.resolve('./saved_objects'));
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/privileges/index.js b/x-pack/test/rbac_api_integration/apis/privileges/index.js
new file mode 100644
index 00000000000000..9563a1b65540f0
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/privileges/index.js
@@ -0,0 +1,66 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import expect from 'expect.js';
+
+export default function ({ getService }) {
+  describe('privileges', () => {
+    it(`get should return privileges`, async () => {
+      const supertest = getService('supertest');
+      const kibanaServer = getService('kibanaServer');
+      const version = await kibanaServer.version.get();
+
+      await supertest
+        .get(`/api/security/v1/privileges`)
+        .expect(200)
+        .then(resp => {
+          expect(resp.body).to.eql([
+            {
+              application: 'kibana-.kibana',
+              name: 'all',
+              actions: [`version:${version}`, 'action:*'],
+              metadata: {},
+            },
+            {
+              application: 'kibana-.kibana',
+              name: 'read',
+              actions: [
+                `version:${version}`,
+                'action:login',
+                'action:saved_objects/config/get',
+                'action:saved_objects/config/bulk_get',
+                'action:saved_objects/config/find',
+                'action:saved_objects/timelion-sheet/get',
+                'action:saved_objects/timelion-sheet/bulk_get',
+                'action:saved_objects/timelion-sheet/find',
+                'action:saved_objects/graph-workspace/get',
+                'action:saved_objects/graph-workspace/bulk_get',
+                'action:saved_objects/graph-workspace/find',
+                'action:saved_objects/index-pattern/get',
+                'action:saved_objects/index-pattern/bulk_get',
+                'action:saved_objects/index-pattern/find',
+                'action:saved_objects/visualization/get',
+                'action:saved_objects/visualization/bulk_get',
+                'action:saved_objects/visualization/find',
+                'action:saved_objects/search/get',
+                'action:saved_objects/search/bulk_get',
+                'action:saved_objects/search/find',
+                'action:saved_objects/dashboard/get',
+                'action:saved_objects/dashboard/bulk_get',
+                'action:saved_objects/dashboard/find',
+                'action:saved_objects/url/get',
+                'action:saved_objects/url/bulk_get',
+                'action:saved_objects/url/find',
+                'action:saved_objects/server/get',
+                'action:saved_objects/server/bulk_get',
+                'action:saved_objects/server/find',
+              ],
+              metadata: {},
+            },
+          ]);
+        });
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
new file mode 100644
index 00000000000000..6785859e42fbfb
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/bulk_get.js
@@ -0,0 +1,201 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { AUTHENTICATION } from './lib/authentication';
+
+export default function ({ getService }) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  const BULK_REQUESTS = [
+    {
+      type: 'visualization',
+      id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+    },
+    {
+      type: 'dashboard',
+      id: 'does not exist',
+    },
+    {
+      type: 'config',
+      id: '7.0.0-alpha1',
+    },
+  ];
+
+  describe('_bulk_get', () => {
+    const expectResults = resp => {
+      expect(resp.body).to.eql({
+        saved_objects: [
+          {
+            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+            type: 'visualization',
+            updated_at: '2017-09-21T18:51:23.794Z',
+            version: resp.body.saved_objects[0].version,
+            attributes: {
+              title: 'Count of requests',
+              description: '',
+              version: 1,
+              // cheat for some of the more complex attributes
+              visState: resp.body.saved_objects[0].attributes.visState,
+              uiStateJSON: resp.body.saved_objects[0].attributes.uiStateJSON,
+              kibanaSavedObjectMeta:
+                resp.body.saved_objects[0].attributes.kibanaSavedObjectMeta,
+            },
+          },
+          {
+            id: 'does not exist',
+            type: 'dashboard',
+            error: {
+              statusCode: 404,
+              message: 'Not found',
+            },
+          },
+          {
+            id: '7.0.0-alpha1',
+            type: 'config',
+            updated_at: '2017-09-21T18:49:16.302Z',
+            version: resp.body.saved_objects[2].version,
+            attributes: {
+              buildNum: 8467,
+              defaultIndex: '91200a00-9efd-11e7-acb3-3dab96693fab',
+            },
+          },
+        ],
+      });
+    };
+
+    const expectRbacForbidden = resp => {
+      //eslint-disable-next-line max-len
+      const missingActions = `action:saved_objects/config/bulk_get,action:saved_objects/dashboard/bulk_get,action:saved_objects/visualization/bulk_get`;
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Unable to bulk_get config,dashboard,visualization, missing ${missingActions}`
+      });
+    };
+
+    const bulkGetTest = (description, { auth, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/basic'));
+        after(() => esArchiver.unload('saved_objects/basic'));
+
+        it(`should return ${tests.default.statusCode}`, async () => {
+          await supertest
+            .post(`/api/saved_objects/_bulk_get`)
+            .auth(auth.username, auth.password)
+            .send(BULK_REQUESTS)
+            .expect(tests.default.statusCode)
+            .then(tests.default.response);
+        });
+      });
+    };
+
+    bulkGetTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        }
+      }
+    });
+
+    bulkGetTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    bulkGetTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    bulkGetTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    bulkGetTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    bulkGetTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    bulkGetTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    bulkGetTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/create.js b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
new file mode 100644
index 00000000000000..6a949004371f8f
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/create.js
@@ -0,0 +1,172 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { AUTHENTICATION } from './lib/authentication';
+
+export default function ({ getService }) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('create', () => {
+    const expectResults = (resp) => {
+      expect(resp.body).to.have.property('id').match(/^[0-9a-f-]{36}$/);
+
+      // loose ISO8601 UTC time with milliseconds validation
+      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+      expect(resp.body).to.eql({
+        id: resp.body.id,
+        type: 'visualization',
+        updated_at: resp.body.updated_at,
+        version: 1,
+        attributes: {
+          title: 'My favorite vis'
+        }
+      });
+    };
+
+    const expectRbacForbidden = resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Unable to create visualization, missing action:saved_objects/visualization/create`
+      });
+    };
+
+    const createExpectLegacyForbidden = username => resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        //eslint-disable-next-line max-len
+        message: `action [indices:data/write/index] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/index] is unauthorized for user [${username}]`
+      });
+    };
+
+    const createTest = (description, { auth, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/basic'));
+        after(() => esArchiver.unload('saved_objects/basic'));
+        it(`should return ${tests.default.statusCode}`, async () => {
+          await supertest
+            .post(`/api/saved_objects/visualization`)
+            .auth(auth.username, auth.password)
+            .send({
+              attributes: {
+                title: 'My favorite vis'
+              }
+            })
+            .expect(tests.default.statusCode)
+            .then(tests.default.response);
+        });
+      });
+    };
+
+    createTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+      }
+    });
+
+    createTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    createTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    createTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
+        },
+      }
+    });
+
+    createTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    createTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+      }
+    });
+
+    createTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 200,
+          response: expectResults,
+        },
+      }
+    });
+
+    createTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        default: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+      }
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
new file mode 100644
index 00000000000000..5885eb7919c7bd
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/delete.js
@@ -0,0 +1,204 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { AUTHENTICATION } from './lib/authentication';
+
+export default function ({ getService }) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('delete', () => {
+
+    const expectEmpty = (resp) => {
+      expect(resp.body).to.eql({});
+    };
+
+    const expectNotFound = (resp) => {
+      expect(resp.body).to.eql({
+        statusCode: 404,
+        error: 'Not Found',
+        message: 'Saved object [dashboard/not-a-real-id] not found'
+      });
+    };
+
+    const expectRbacForbidden = resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Unable to delete dashboard, missing action:saved_objects/dashboard/delete`
+      });
+    };
+
+    const createExpectLegacyForbidden = username => resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        //eslint-disable-next-line max-len
+        message: `action [indices:data/write/delete] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/delete] is unauthorized for user [${username}]`
+      });
+    };
+
+    const deleteTest = (description, { auth, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/basic'));
+        after(() => esArchiver.unload('saved_objects/basic'));
+
+        it(`should return ${tests.actualId.statusCode} when deleting a doc`, async () => (
+          await supertest
+            .delete(`/api/saved_objects/dashboard/be3733a0-9efe-11e7-acb3-3dab96693fab`)
+            .auth(auth.username, auth.password)
+            .expect(tests.actualId.statusCode)
+            .then(tests.actualId.response)
+        ));
+
+        it(`should return ${tests.invalidId.statusCode} when deleting an unknown doc`, async () => (
+          await supertest
+            .delete(`/api/saved_objects/dashboard/not-a-real-id`)
+            .auth(auth.username, auth.password)
+            .expect(tests.invalidId.statusCode)
+            .then(tests.invalidId.response)
+        ));
+      });
+    };
+
+    deleteTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+        invalidId: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        }
+      }
+    });
+
+    deleteTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: expectNotFound,
+        }
+      }
+    });
+
+    deleteTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: expectNotFound,
+        }
+      }
+    });
+
+    deleteTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
+        },
+        invalidId: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
+        }
+      }
+    });
+
+    deleteTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: expectNotFound,
+        }
+      }
+    });
+
+    deleteTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+        invalidId: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        }
+      }
+    });
+
+    deleteTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 200,
+          response: expectEmpty,
+        },
+        invalidId: {
+          statusCode: 404,
+          response: expectNotFound,
+        }
+      }
+    });
+
+    deleteTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        actualId: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+        invalidId: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        }
+      }
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/find.js b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
new file mode 100644
index 00000000000000..5bb42acacd3920
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/find.js
@@ -0,0 +1,468 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { AUTHENTICATION } from './lib/authentication';
+
+export default function ({ getService }) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('find', () => {
+
+    const expectVisualizationResults = (resp) => {
+      expect(resp.body).to.eql({
+        page: 1,
+        per_page: 20,
+        total: 1,
+        saved_objects: [
+          {
+            type: 'visualization',
+            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+            version: 1,
+            attributes: {
+              'title': 'Count of requests'
+            }
+          }
+        ]
+      });
+    };
+
+    const expectResultsWithValidTypes = (resp) => {
+      expect(resp.body).to.eql({
+        page: 1,
+        per_page: 20,
+        total: 4,
+        saved_objects: [
+          {
+            id: '91200a00-9efd-11e7-acb3-3dab96693fab',
+            type: 'index-pattern',
+            updated_at: '2017-09-21T18:49:16.270Z',
+            version: 1,
+            attributes: resp.body.saved_objects[0].attributes
+          },
+          {
+            id: '7.0.0-alpha1',
+            type: 'config',
+            updated_at: '2017-09-21T18:49:16.302Z',
+            version: 1,
+            attributes: resp.body.saved_objects[1].attributes
+          },
+          {
+            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+            type: 'visualization',
+            updated_at: '2017-09-21T18:51:23.794Z',
+            version: 1,
+            attributes: resp.body.saved_objects[2].attributes
+          },
+          {
+            id: 'be3733a0-9efe-11e7-acb3-3dab96693fab',
+            type: 'dashboard',
+            updated_at: '2017-09-21T18:57:40.826Z',
+            version: 1,
+            attributes: resp.body.saved_objects[3].attributes
+          },
+        ]
+      });
+    };
+
+    const expectAllResultsIncludingInvalidTypes = (resp) => {
+      expect(resp.body).to.eql({
+        page: 1,
+        per_page: 20,
+        total: 5,
+        saved_objects: [
+          {
+            id: '91200a00-9efd-11e7-acb3-3dab96693fab',
+            type: 'index-pattern',
+            updated_at: '2017-09-21T18:49:16.270Z',
+            version: 1,
+            attributes: resp.body.saved_objects[0].attributes
+          },
+          {
+            id: '7.0.0-alpha1',
+            type: 'config',
+            updated_at: '2017-09-21T18:49:16.302Z',
+            version: 1,
+            attributes: resp.body.saved_objects[1].attributes
+          },
+          {
+            id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+            type: 'visualization',
+            updated_at: '2017-09-21T18:51:23.794Z',
+            version: 1,
+            attributes: resp.body.saved_objects[2].attributes
+          },
+          {
+            id: 'be3733a0-9efe-11e7-acb3-3dab96693fab',
+            type: 'dashboard',
+            updated_at: '2017-09-21T18:57:40.826Z',
+            version: 1,
+            attributes: resp.body.saved_objects[3].attributes
+          },
+          {
+            id: 'visualization:dd7caf20-9efd-11e7-acb3-3dab96693faa',
+            type: 'not-a-visualization',
+            updated_at: '2017-09-21T18:51:23.794Z',
+            version: 1
+          },
+        ]
+      });
+    };
+
+    const createExpectEmpty = (page, perPage, total) => (resp) => {
+      expect(resp.body).to.eql({
+        page: page,
+        per_page: perPage,
+        total: total,
+        saved_objects: []
+      });
+    };
+
+    const createExpectRbacForbidden = (type) => resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Unable to find ${type}, missing action:saved_objects/${type}/find`
+      });
+    };
+
+    const expectForbiddenCantFindAnyTypes = resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Not authorized to find saved_object`
+      });
+    };
+
+    const findTest = (description, { auth, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/basic'));
+        after(() => esArchiver.unload('saved_objects/basic'));
+
+        it(`should return ${tests.normal.statusCode} with ${tests.normal.description}`, async () => (
+          await supertest
+            .get('/api/saved_objects/_find?type=visualization&fields=title')
+            .auth(auth.username, auth.password)
+            .expect(tests.normal.statusCode)
+            .then(tests.normal.response)
+        ));
+
+        describe('unknown type', () => {
+          it(`should return ${tests.unknownType.statusCode} with ${tests.unknownType.description}`, async () => (
+            await supertest
+              .get('/api/saved_objects/_find?type=wigwags')
+              .auth(auth.username, auth.password)
+              .expect(tests.unknownType.statusCode)
+              .then(tests.unknownType.response)
+          ));
+        });
+
+        describe('page beyond total', () => {
+          it(`should return ${tests.pageBeyondTotal.statusCode} with ${tests.pageBeyondTotal.description}`, async () => (
+            await supertest
+              .get('/api/saved_objects/_find?type=visualization&page=100&per_page=100')
+              .auth(auth.username, auth.password)
+              .expect(tests.pageBeyondTotal.statusCode)
+              .then(tests.pageBeyondTotal.response)
+          ));
+        });
+
+        describe('unknown search field', () => {
+          it(`should return ${tests.unknownSearchField.statusCode} with ${tests.unknownSearchField.description}`, async () => (
+            await supertest
+              .get('/api/saved_objects/_find?type=wigwags&search_fields=a')
+              .auth(auth.username, auth.password)
+              .expect(tests.unknownSearchField.statusCode)
+              .then(tests.unknownSearchField.response)
+          ));
+        });
+
+        describe('no type', () => {
+          it(`should return ${tests.noType.statusCode} with ${tests.noType.description}`, async () => (
+            await supertest
+              .get('/api/saved_objects/_find')
+              .auth(auth.username, auth.password)
+              .expect(tests.noType.statusCode)
+              .then(tests.noType.response)
+          ));
+        });
+      });
+    };
+
+    findTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'forbidden login and find visualization message',
+          statusCode: 403,
+          response: createExpectRbacForbidden('visualization'),
+        },
+        unknownType: {
+          description: 'forbidden login and find wigwags message',
+          statusCode: 403,
+          response: createExpectRbacForbidden('wigwags'),
+        },
+        pageBeyondTotal: {
+          description: 'forbidden login and find visualization message',
+          statusCode: 403,
+          response: createExpectRbacForbidden('visualization'),
+        },
+        unknownSearchField: {
+          description: 'forbidden login and find wigwags message',
+          statusCode: 403,
+          response: createExpectRbacForbidden('wigwags'),
+        },
+        noType: {
+          description: `forbidded can't find any types`,
+          statusCode: 403,
+          response: expectForbiddenCantFindAnyTypes,
+        }
+      }
+    });
+
+    findTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectVisualizationResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectResultsWithValidTypes,
+        },
+      },
+    });
+
+    findTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectVisualizationResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectAllResultsIncludingInvalidTypes,
+        },
+      },
+    });
+
+    findTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectVisualizationResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectAllResultsIncludingInvalidTypes,
+        },
+      }
+    });
+
+    findTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectVisualizationResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectResultsWithValidTypes,
+        },
+      },
+    });
+
+    findTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectVisualizationResults,
+        },
+        unknownType: {
+          description: 'forbidden find wigwags message',
+          statusCode: 403,
+          response: createExpectRbacForbidden('wigwags'),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'forbidden find wigwags message',
+          statusCode: 403,
+          response: createExpectRbacForbidden('wigwags'),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectResultsWithValidTypes,
+        },
+      }
+    });
+
+    findTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectVisualizationResults,
+        },
+        unknownType: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(1, 20, 0),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectResultsWithValidTypes,
+        },
+      },
+    });
+
+    findTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        normal: {
+          description: 'only the visualization',
+          statusCode: 200,
+          response: expectVisualizationResults,
+        },
+        unknownType: {
+          description: 'forbidden find wigwags message',
+          statusCode: 403,
+          response: createExpectRbacForbidden('wigwags'),
+        },
+        pageBeyondTotal: {
+          description: 'empty result',
+          statusCode: 200,
+          response: createExpectEmpty(100, 100, 1),
+        },
+        unknownSearchField: {
+          description: 'forbidden find wigwags message',
+          statusCode: 403,
+          response: createExpectRbacForbidden('wigwags'),
+        },
+        noType: {
+          description: 'all objects',
+          statusCode: 200,
+          response: expectResultsWithValidTypes,
+        },
+      }
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/get.js b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
new file mode 100644
index 00000000000000..b640d120555932
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/get.js
@@ -0,0 +1,211 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { AUTHENTICATION } from './lib/authentication';
+
+export default function ({ getService }) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('get', () => {
+
+    const expectResults = (resp) => {
+      expect(resp.body).to.eql({
+        id: 'dd7caf20-9efd-11e7-acb3-3dab96693fab',
+        type: 'visualization',
+        updated_at: '2017-09-21T18:51:23.794Z',
+        version: resp.body.version,
+        attributes: {
+          title: 'Count of requests',
+          description: '',
+          version: 1,
+          // cheat for some of the more complex attributes
+          visState: resp.body.attributes.visState,
+          uiStateJSON: resp.body.attributes.uiStateJSON,
+          kibanaSavedObjectMeta: resp.body.attributes.kibanaSavedObjectMeta
+        }
+      });
+    };
+
+    const expectNotFound = (resp) => {
+      expect(resp.body).to.eql({
+        error: 'Not Found',
+        message: 'Saved object [visualization/foobar] not found',
+        statusCode: 404,
+      });
+    };
+
+    const expectRbacForbidden = resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Unable to get visualization, missing action:saved_objects/visualization/get`
+      });
+    };
+
+    const getTest = (description, { auth, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/basic'));
+        after(() => esArchiver.unload('saved_objects/basic'));
+
+        it(`should return ${tests.exists.statusCode}`, async () => (
+          await supertest
+            .get(`/api/saved_objects/visualization/dd7caf20-9efd-11e7-acb3-3dab96693fab`)
+            .auth(auth.username, auth.password)
+            .expect(tests.exists.statusCode)
+            .then(tests.exists.response)
+        ));
+
+        describe('document does not exist', () => {
+          it(`should return ${tests.doesntExist.statusCode}`, async () => (
+            await supertest
+              .get(`/api/saved_objects/visualization/foobar`)
+              .auth(auth.username, auth.password)
+              .expect(tests.doesntExist.statusCode)
+              .then(tests.doesntExist.response)
+          ));
+        });
+      });
+    };
+
+    getTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+      }
+    });
+
+    getTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    getTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    getTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    getTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    getTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    getTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    getTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/index.js b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
new file mode 100644
index 00000000000000..bdbd23f6dabdf4
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/index.js
@@ -0,0 +1,160 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AUTHENTICATION } from "./lib/authentication";
+
+export default function ({ loadTestFile, getService }) {
+  const es = getService('es');
+  const supertest = getService('supertest');
+
+  describe('saved_objects', () => {
+    before(async () => {
+      await supertest.put('/api/security/role/kibana_legacy_user')
+        .send({
+          elasticsearch: {
+            indices: [{
+              names: ['.kibana'],
+              privileges: ['manage', 'read', 'index', 'delete']
+            }]
+          }
+        });
+
+      await supertest.put('/api/security/role/kibana_legacy_dashboard_only_user')
+        .send({
+          elasticsearch: {
+            indices: [{
+              names: ['.kibana'],
+              privileges: ['read', 'view_index_metadata']
+            }]
+          }
+        });
+
+      await supertest.put('/api/security/role/kibana_dual_privileges_user')
+        .send({
+          elasticsearch: {
+            indices: [{
+              names: ['.kibana'],
+              privileges: ['manage', 'read', 'index', 'delete']
+            }]
+          },
+          kibana: [
+            {
+              privileges: ['all']
+            }
+          ]
+        });
+
+      await supertest.put('/api/security/role/kibana_dual_privileges_dashboard_only_user')
+        .send({
+          elasticsearch: {
+            indices: [{
+              names: ['.kibana'],
+              privileges: ['read', 'view_index_metadata']
+            }]
+          },
+          kibana: [
+            {
+              privileges: ['read']
+            }
+          ]
+        });
+
+      await supertest.put('/api/security/role/kibana_rbac_user')
+        .send({
+          kibana: [
+            {
+              privileges: ['all']
+            }
+          ]
+        });
+
+      await supertest.put('/api/security/role/kibana_rbac_dashboard_only_user')
+        .send({
+          kibana: [
+            {
+              privileges: ['read']
+            }
+          ]
+        });
+
+      await es.shield.putUser({
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        body: {
+          password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+          roles: [],
+          full_name: 'not a kibana user',
+          email: 'not_a_kibana_user@elastic.co',
+        }
+      });
+
+      await es.shield.putUser({
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        body: {
+          password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+          roles: ['kibana_legacy_user'],
+          full_name: 'a kibana legacy user',
+          email: 'a_kibana_legacy_user@elastic.co',
+        }
+      });
+
+      await es.shield.putUser({
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        body: {
+          password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+          roles: ["kibana_legacy_dashboard_only_user"],
+          full_name: 'a kibana legacy dashboard only user',
+          email: 'a_kibana_legacy_dashboard_only_user@elastic.co',
+        }
+      });
+
+      await es.shield.putUser({
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        body: {
+          password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+          roles: ['kibana_dual_privileges_user'],
+          full_name: 'a kibana dual_privileges user',
+          email: 'a_kibana_dual_privileges_user@elastic.co',
+        }
+      });
+
+      await es.shield.putUser({
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        body: {
+          password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+          roles: ["kibana_dual_privileges_dashboard_only_user"],
+          full_name: 'a kibana dual_privileges dashboard only user',
+          email: 'a_kibana_dual_privileges_dashboard_only_user@elastic.co',
+        }
+      });
+
+      await es.shield.putUser({
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        body: {
+          password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+          roles: ['kibana_rbac_user'],
+          full_name: 'a kibana user',
+          email: 'a_kibana_rbac_user@elastic.co',
+        }
+      });
+
+      await es.shield.putUser({
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        body: {
+          password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+          roles: ["kibana_rbac_dashboard_only_user"],
+          full_name: 'a kibana dashboard only user',
+          email: 'a_kibana_rbac_dashboard_only_user@elastic.co',
+        }
+      });
+    });
+    loadTestFile(require.resolve('./bulk_get'));
+    loadTestFile(require.resolve('./create'));
+    loadTestFile(require.resolve('./delete'));
+    loadTestFile(require.resolve('./find'));
+    loadTestFile(require.resolve('./get'));
+    loadTestFile(require.resolve('./update'));
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js b/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js
new file mode 100644
index 00000000000000..5b158a6c8bf377
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/lib/authentication.js
@@ -0,0 +1,40 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const AUTHENTICATION = {
+  NOT_A_KIBANA_USER: {
+    USERNAME: 'not_a_kibana_user',
+    PASSWORD: 'password'
+  },
+  SUPERUSER: {
+    USERNAME: 'elastic',
+    PASSWORD: 'changeme'
+  },
+  KIBANA_LEGACY_USER: {
+    USERNAME: 'a_kibana_legacy_user',
+    PASSWORD: 'password'
+  },
+  KIBANA_LEGACY_DASHBOARD_ONLY_USER: {
+    USERNAME: 'a_kibana_legacy_dashboard_only_user',
+    PASSWORD: 'password'
+  },
+  KIBANA_DUAL_PRIVILEGES_USER: {
+    USERNAME: 'a_kibana_dual_privileges_user',
+    PASSWORD: 'password'
+  },
+  KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER: {
+    USERNAME: 'a_kibana_dual_privileges_dashboard_only_user',
+    PASSWORD: 'password'
+  },
+  KIBANA_RBAC_USER: {
+    USERNAME: 'a_kibana_rbac_user',
+    PASSWORD: 'password'
+  },
+  KIBANA_RBAC_DASHBOARD_ONLY_USER: {
+    USERNAME: 'a_kibana_rbac_dashboard_only_user',
+    PASSWORD: 'password'
+  }
+};
diff --git a/x-pack/test/rbac_api_integration/apis/saved_objects/update.js b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
new file mode 100644
index 00000000000000..a4a17ba67fd5eb
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/apis/saved_objects/update.js
@@ -0,0 +1,229 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import expect from 'expect.js';
+import { AUTHENTICATION } from './lib/authentication';
+
+export default function ({ getService }) {
+  const supertest = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+
+  describe('update', () => {
+    const expectResults = resp => {
+      // loose uuid validation
+      expect(resp.body).to.have.property('id').match(/^[0-9a-f-]{36}$/);
+
+      // loose ISO8601 UTC time with milliseconds validation
+      expect(resp.body).to.have.property('updated_at').match(/^[\d-]{10}T[\d:\.]{12}Z$/);
+
+      expect(resp.body).to.eql({
+        id: resp.body.id,
+        type: 'visualization',
+        updated_at: resp.body.updated_at,
+        version: 2,
+        attributes: {
+          title: 'My second favorite vis'
+        }
+      });
+    };
+
+    const expectNotFound = resp => {
+      expect(resp.body).eql({
+        statusCode: 404,
+        error: 'Not Found',
+        message: 'Saved object [visualization/not an id] not found'
+      });
+    };
+
+    const expectRbacForbidden = resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        message: `Unable to update visualization, missing action:saved_objects/visualization/update`
+      });
+    };
+
+    const createExpectLegacyForbidden = username => resp => {
+      expect(resp.body).to.eql({
+        statusCode: 403,
+        error: 'Forbidden',
+        //eslint-disable-next-line max-len
+        message: `action [indices:data/write/update] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/update] is unauthorized for user [${username}]`
+      });
+    };
+
+    const updateTest = (description, { auth, tests }) => {
+      describe(description, () => {
+        before(() => esArchiver.load('saved_objects/basic'));
+        after(() => esArchiver.unload('saved_objects/basic'));
+        it(`should return ${tests.exists.statusCode}`, async () => {
+          await supertest
+            .put(`/api/saved_objects/visualization/dd7caf20-9efd-11e7-acb3-3dab96693fab`)
+            .auth(auth.username, auth.password)
+            .send({
+              attributes: {
+                title: 'My second favorite vis'
+              }
+            })
+            .expect(tests.exists.statusCode)
+            .then(tests.exists.response);
+        });
+
+        describe('unknown id', () => {
+          it(`should return ${tests.doesntExist.statusCode}`, async () => {
+            await supertest
+              .put(`/api/saved_objects/visualization/not an id`)
+              .auth(auth.username, auth.password)
+              .send({
+                attributes: {
+                  title: 'My second favorite vis'
+                }
+              })
+              .expect(tests.doesntExist.statusCode)
+              .then(tests.doesntExist.response);
+          });
+        });
+      });
+    };
+
+    updateTest(`not a kibana user`, {
+      auth: {
+        username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME,
+        password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+      }
+    });
+
+    updateTest(`superuser`, {
+      auth: {
+        username: AUTHENTICATION.SUPERUSER.USERNAME,
+        password: AUTHENTICATION.SUPERUSER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    updateTest(`kibana legacy user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    updateTest(`kibana legacy dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME),
+        },
+      }
+    });
+
+    updateTest(`kibana dual-privileges user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    updateTest(`kibana dual-privileges dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+      }
+    });
+
+    updateTest(`kibana rbac user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 200,
+          response: expectResults,
+        },
+        doesntExist: {
+          statusCode: 404,
+          response: expectNotFound,
+        },
+      }
+    });
+
+    updateTest(`kibana rbac dashboard only user`, {
+      auth: {
+        username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME,
+        password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD,
+      },
+      tests: {
+        exists: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+        doesntExist: {
+          statusCode: 403,
+          response: expectRbacForbidden,
+        },
+      }
+    });
+
+  });
+}
diff --git a/x-pack/test/rbac_api_integration/config.js b/x-pack/test/rbac_api_integration/config.js
new file mode 100644
index 00000000000000..3ea5546f09cf10
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/config.js
@@ -0,0 +1,63 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import path from 'path';
+import { resolveKibanaPath } from '@kbn/plugin-helpers';
+import { EsProvider } from './services/es';
+
+export default async function ({ readConfigFile }) {
+
+  const config = {
+    kibana: {
+      api: await readConfigFile(resolveKibanaPath('test/api_integration/config.js')),
+      functional: await readConfigFile(require.resolve('../../../test/functional/config.js'))
+    },
+    xpack: {
+      api: await readConfigFile(require.resolve('../api_integration/config.js'))
+    }
+  };
+
+  return {
+    testFiles: [require.resolve('./apis')],
+    servers: config.xpack.api.get('servers'),
+    services: {
+      es: EsProvider,
+      esSupertestWithoutAuth: config.xpack.api.get('services.esSupertestWithoutAuth'),
+      supertest: config.kibana.api.get('services.supertest'),
+      supertestWithoutAuth: config.xpack.api.get('services.supertestWithoutAuth'),
+      esArchiver: config.kibana.functional.get('services.esArchiver'),
+      kibanaServer: config.kibana.functional.get('services.kibanaServer'),
+    },
+    junit: {
+      reportName: 'X-Pack RBAC API Integration Tests',
+    },
+
+    // The saved_objects/basic archives are almost an exact replica of the ones in OSS
+    // with the exception of a bogus "not-a-visualization" type that I added to make sure
+    // the find filtering without a type specified worked correctly. Once we have the ability
+    // to specify more granular access to the objects via the Kibana privileges, this should
+    // no longer be necessary, and it's only required as long as we do read/all privileges.
+    esArchiver: {
+      directory: path.join(__dirname, 'fixtures', 'es_archiver')
+    },
+
+    esTestCluster: {
+      ...config.xpack.api.get('esTestCluster'),
+      serverArgs: [
+        ...config.xpack.api.get('esTestCluster.serverArgs'),
+      ],
+    },
+
+    kbnTestServer: {
+      ...config.xpack.api.get('kbnTestServer'),
+      serverArgs: [
+        ...config.xpack.api.get('kbnTestServer.serverArgs'),
+        '--optimize.enabled=false',
+        '--server.xsrf.disableProtection=true',
+      ],
+    },
+  };
+}
diff --git a/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/data.json.gz b/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/data.json.gz
new file mode 100644
index 00000000000000..910382479979df
Binary files /dev/null and b/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/data.json.gz differ
diff --git a/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json b/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json
new file mode 100644
index 00000000000000..107a45fab187bc
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/fixtures/es_archiver/saved_objects/basic/mappings.json
@@ -0,0 +1,283 @@
+{
+  "type": "index",
+  "value": {
+    "index": ".kibana",
+    "settings": {
+      "index": {
+        "number_of_shards": "1",
+        "auto_expand_replicas": "0-1",
+        "number_of_replicas": "0"
+      }
+    },
+    "mappings": {
+      "doc": {
+        "dynamic": "strict",
+        "properties": {
+          "config": {
+            "dynamic": "true",
+            "properties": {
+              "buildNum": {
+                "type": "keyword"
+              },
+              "defaultIndex": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 256
+                  }
+                }
+              }
+            }
+          },
+          "dashboard": {
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "hits": {
+                "type": "integer"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "optionsJSON": {
+                "type": "text"
+              },
+              "panelsJSON": {
+                "type": "text"
+              },
+              "refreshInterval": {
+                "properties": {
+                  "display": {
+                    "type": "keyword"
+                  },
+                  "pause": {
+                    "type": "boolean"
+                  },
+                  "section": {
+                    "type": "integer"
+                  },
+                  "value": {
+                    "type": "integer"
+                  }
+                }
+              },
+              "timeFrom": {
+                "type": "keyword"
+              },
+              "timeRestore": {
+                "type": "boolean"
+              },
+              "timeTo": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              },
+              "uiStateJSON": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              }
+            }
+          },
+          "graph-workspace": {
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "numLinks": {
+                "type": "integer"
+              },
+              "numVertices": {
+                "type": "integer"
+              },
+              "title": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              },
+              "wsState": {
+                "type": "text"
+              }
+            }
+          },
+          "index-pattern": {
+            "properties": {
+              "fieldFormatMap": {
+                "type": "text"
+              },
+              "fields": {
+                "type": "text"
+              },
+              "intervalName": {
+                "type": "keyword"
+              },
+              "notExpandable": {
+                "type": "boolean"
+              },
+              "sourceFilters": {
+                "type": "text"
+              },
+              "timeFieldName": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              }
+            }
+          },
+          "search": {
+            "properties": {
+              "columns": {
+                "type": "keyword"
+              },
+              "description": {
+                "type": "text"
+              },
+              "hits": {
+                "type": "integer"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "sort": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              }
+            }
+          },
+          "server": {
+            "properties": {
+              "uuid": {
+                "type": "keyword"
+              }
+            }
+          },
+          "timelion-sheet": {
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "hits": {
+                "type": "integer"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "timelion_chart_height": {
+                "type": "integer"
+              },
+              "timelion_columns": {
+                "type": "integer"
+              },
+              "timelion_interval": {
+                "type": "keyword"
+              },
+              "timelion_other_interval": {
+                "type": "keyword"
+              },
+              "timelion_rows": {
+                "type": "integer"
+              },
+              "timelion_sheet": {
+                "type": "text"
+              },
+              "title": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              }
+            }
+          },
+          "type": {
+            "type": "keyword"
+          },
+          "updated_at": {
+            "type": "date"
+          },
+          "url": {
+            "properties": {
+              "accessCount": {
+                "type": "long"
+              },
+              "accessDate": {
+                "type": "date"
+              },
+              "createDate": {
+                "type": "date"
+              },
+              "url": {
+                "type": "text",
+                "fields": {
+                  "keyword": {
+                    "type": "keyword",
+                    "ignore_above": 2048
+                  }
+                }
+              }
+            }
+          },
+          "visualization": {
+            "properties": {
+              "description": {
+                "type": "text"
+              },
+              "kibanaSavedObjectMeta": {
+                "properties": {
+                  "searchSourceJSON": {
+                    "type": "text"
+                  }
+                }
+              },
+              "savedSearchId": {
+                "type": "keyword"
+              },
+              "title": {
+                "type": "text"
+              },
+              "uiStateJSON": {
+                "type": "text"
+              },
+              "version": {
+                "type": "integer"
+              },
+              "visState": {
+                "type": "text"
+              }
+            }
+          }
+        }
+      }
+    },
+    "aliases": {}
+  }
+}
\ No newline at end of file
diff --git a/x-pack/test/rbac_api_integration/services/es.js b/x-pack/test/rbac_api_integration/services/es.js
new file mode 100644
index 00000000000000..420541fa7ec5f6
--- /dev/null
+++ b/x-pack/test/rbac_api_integration/services/es.js
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { format as formatUrl } from 'url';
+
+import elasticsearch from 'elasticsearch';
+import shieldPlugin from '../../../server/lib/esjs_shield_plugin';
+
+export function EsProvider({ getService }) {
+  const config = getService('config');
+
+  return new elasticsearch.Client({
+    host: formatUrl(config.get('servers.elasticsearch')),
+    requestTimeout: config.get('timeouts.esRequestTimeout'),
+    plugins: [shieldPlugin]
+  });
+}