diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/hooks/index.ts b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/hooks/index.ts
index 4bae22bbed368c..5e0695bd3e305a 100644
--- a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/hooks/index.ts
+++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/hooks/index.ts
@@ -4,6 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+export { useCapabilities } from './use_capabilities';
 export { useCore, CoreContext } from './use_core';
 export { useConfig, ConfigContext } from './use_config';
 export { useSetupDeps, useStartDeps, DepsContext } from './use_deps';
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/hooks/use_capabilities.ts b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/hooks/use_capabilities.ts
new file mode 100644
index 00000000000000..0a16c4a62a7d1f
--- /dev/null
+++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/hooks/use_capabilities.ts
@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { useCore } from './';
+
+export function useCapabilities() {
+  const core = useCore();
+  return core.application.capabilities.ingestManager;
+}
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/create_datasource_page/step_select_config.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/create_datasource_page/step_select_config.tsx
index e3209c8c12640e..2ddfc170069a1e 100644
--- a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/create_datasource_page/step_select_config.tsx
+++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/create_datasource_page/step_select_config.tsx
@@ -18,7 +18,7 @@ import {
 } from '@elastic/eui';
 import { Error } from '../../../components';
 import { AGENT_CONFIG_PATH } from '../../../constants';
-import { useLink } from '../../../hooks';
+import { useCapabilities, useLink } from '../../../hooks';
 import { AgentConfig, PackageInfo, GetAgentConfigsResponseItem } from '../../../types';
 import { useGetPackageInfoByKey, useGetAgentConfigs, sendGetOneAgentConfig } from '../../../hooks';
 
@@ -30,6 +30,7 @@ export const StepSelectConfig: React.FunctionComponent<{
   cancelUrl: string;
   onNext: () => void;
 }> = ({ pkgkey, updatePackageInfo, agentConfig, updateAgentConfig, cancelUrl, onNext }) => {
+  const hasWriteCapabilites = useCapabilities().write;
   // Selected config state
   const [selectedConfigId, setSelectedConfigId] = useState<string | undefined>(
     agentConfig ? agentConfig.id : undefined
@@ -134,7 +135,12 @@ export const StepSelectConfig: React.FunctionComponent<{
             </EuiTitle>
           </EuiFlexItem>
           <EuiFlexItem grow={false}>
-            <EuiButtonEmpty iconType="plusInCircle" href={CREATE_NEW_CONFIG_URI} size="s">
+            <EuiButtonEmpty
+              isDisabled={!hasWriteCapabilites}
+              iconType="plusInCircle"
+              href={CREATE_NEW_CONFIG_URI}
+              size="s"
+            >
               <FormattedMessage
                 id="xpack.ingestManager.createDatasource.StepSelectConfig.createNewConfigButtonText"
                 defaultMessage="Create new configuration"
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/details_page/index.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/details_page/index.tsx
index 5bc180be8e6767..6f72977cb333f1 100644
--- a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/details_page/index.tsx
+++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/details_page/index.tsx
@@ -24,7 +24,7 @@ import {
 } from '@elastic/eui';
 import { Props as EuiTabProps } from '@elastic/eui/src/components/tabs/tab';
 import styled from 'styled-components';
-import { useGetOneAgentConfig } from '../../../hooks';
+import { useCapabilities, useGetOneAgentConfig } from '../../../hooks';
 import { Datasource } from '../../../types';
 import { Loading } from '../../../components';
 import { WithHeaderLayout } from '../../../layouts';
@@ -57,6 +57,7 @@ export const AgentConfigDetailsLayout: React.FunctionComponent = () => {
   const {
     params: { configId, tabId = '' },
   } = useRouteMatch<{ configId: string; tabId?: string }>();
+  const hasWriteCapabilites = useCapabilities().write;
   const agentConfigRequest = useGetOneAgentConfig(configId);
   const agentConfig = agentConfigRequest.data ? agentConfigRequest.data.item : null;
   const { isLoading, error, sendRequest: refreshAgentConfig } = agentConfigRequest;
@@ -318,7 +319,12 @@ export const AgentConfigDetailsLayout: React.FunctionComponent = () => {
                             </h2>
                           }
                           actions={
-                            <EuiButton fill iconType="plusInCircle" href={URI.ADD_DATASOURCE}>
+                            <EuiButton
+                              isDisabled={!hasWriteCapabilites}
+                              fill
+                              iconType="plusInCircle"
+                              href={URI.ADD_DATASOURCE}
+                            >
                               <FormattedMessage
                                 id="xpack.ingestManager.configDetails.addDatasourceButtonText"
                                 defaultMessage="Create data source"
@@ -330,7 +336,11 @@ export const AgentConfigDetailsLayout: React.FunctionComponent = () => {
                     }
                     search={{
                       toolsRight: [
-                        <EuiButton iconType="plusInCircle" href={URI.ADD_DATASOURCE}>
+                        <EuiButton
+                          isDisabled={!hasWriteCapabilites}
+                          iconType="plusInCircle"
+                          href={URI.ADD_DATASOURCE}
+                        >
                           <FormattedMessage
                             id="xpack.ingestManager.configDetails.addDatasourceButtonText"
                             defaultMessage="Create data source"
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/list_page/components/create_config.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/list_page/components/create_config.tsx
index 7e4791272a58f8..5da9352ee85263 100644
--- a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/list_page/components/create_config.tsx
+++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/list_page/components/create_config.tsx
@@ -27,7 +27,7 @@ interface Props {
 }
 
 export const CreateAgentConfigFlyout: React.FunctionComponent<Props> = ({ onClose }) => {
-  const { notifications } = useCore();
+  const { application, notifications } = useCore();
 
   const [agentConfig, setAgentConfig] = useState<NewAgentConfig>({
     name: '',
@@ -93,7 +93,11 @@ export const CreateAgentConfigFlyout: React.FunctionComponent<Props> = ({ onClos
           <EuiButton
             fill
             isLoading={isLoading}
-            disabled={isLoading || Object.keys(validation).length > 0}
+            isDisabled={
+              !application.capabilities.ingestManager.write ||
+              isLoading ||
+              Object.keys(validation).length > 0
+            }
             onClick={async () => {
               setIsLoading(true);
               try {
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/list_page/index.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/list_page/index.tsx
index be32972622618a..49399be092a894 100644
--- a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/list_page/index.tsx
+++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/agent_config/list_page/index.tsx
@@ -33,6 +33,7 @@ import {
 } from '../../../constants';
 import { WithHeaderLayout } from '../../../layouts';
 import {
+  useCapabilities,
   useGetAgentConfigs,
   usePagination,
   useLink,
@@ -87,6 +88,7 @@ const DangerEuiContextMenuItem = styled(EuiContextMenuItem)`
 
 const RowActions = React.memo<{ config: AgentConfig; onDelete: () => void }>(
   ({ config, onDelete }) => {
+    const hasWriteCapabilites = useCapabilities().write;
     const DETAILS_URI = useLink(`${AGENT_CONFIG_DETAILS_PATH}${config.id}`);
     const ADD_DATASOURCE_URI = `${DETAILS_URI}/add-datasource`;
 
@@ -120,6 +122,7 @@ const RowActions = React.memo<{ config: AgentConfig; onDelete: () => void }>(
             </EuiContextMenuItem>,
 
             <EuiContextMenuItem
+              disabled={!hasWriteCapabilites}
               icon="plusInCircle"
               href={ADD_DATASOURCE_URI}
               key="createDataSource"
@@ -130,7 +133,7 @@ const RowActions = React.memo<{ config: AgentConfig; onDelete: () => void }>(
               />
             </EuiContextMenuItem>,
 
-            <EuiContextMenuItem icon="copy" disabled={true} key="copyConfig">
+            <EuiContextMenuItem disabled={true} icon="copy" key="copyConfig">
               <FormattedMessage
                 id="xpack.ingestManager.agentConfigList.copyConfigActionText"
                 defaultMessage="Copy configuration"
@@ -162,6 +165,7 @@ const RowActions = React.memo<{ config: AgentConfig; onDelete: () => void }>(
 
 export const AgentConfigListPage: React.FunctionComponent<{}> = () => {
   // Config information
+  const hasWriteCapabilites = useCapabilities().write;
   const {
     fleet: { enabled: isFleetEnabled },
   } = useConfig();
@@ -309,6 +313,7 @@ export const AgentConfigListPage: React.FunctionComponent<{}> = () => {
       <EuiButton
         fill
         iconType="plusInCircle"
+        isDisabled={!hasWriteCapabilites}
         onClick={() => setIsCreateAgentConfigFlyoutOpen(true)}
       >
         <FormattedMessage
@@ -317,7 +322,7 @@ export const AgentConfigListPage: React.FunctionComponent<{}> = () => {
         />
       </EuiButton>
     ),
-    [setIsCreateAgentConfigFlyoutOpen]
+    [hasWriteCapabilites, setIsCreateAgentConfigFlyoutOpen]
   );
 
   const emptyPrompt = useMemo(
@@ -331,10 +336,10 @@ export const AgentConfigListPage: React.FunctionComponent<{}> = () => {
             />
           </h2>
         }
-        actions={createAgentConfigButton}
+        actions={hasWriteCapabilites ?? createAgentConfigButton}
       />
     ),
-    [createAgentConfigButton]
+    [hasWriteCapabilites, createAgentConfigButton]
   );
 
   return (
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/epm/screens/detail/header.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/epm/screens/detail/header.tsx
index c1fded46eeedb9..5a51515d494865 100644
--- a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/epm/screens/detail/header.tsx
+++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/epm/screens/detail/header.tsx
@@ -9,7 +9,7 @@ import { FormattedMessage } from '@kbn/i18n/react';
 import { EuiFlexGroup, EuiFlexItem, EuiPage, EuiTitle, IconType, EuiButton } from '@elastic/eui';
 import { PackageInfo } from '../../../../types';
 import { EPM_PATH } from '../../../../constants';
-import { useLink } from '../../../../hooks';
+import { useCapabilities, useLink } from '../../../../hooks';
 import { IconPanel } from '../../components/icon_panel';
 import { NavButtonBack } from '../../components/nav_button_back';
 import { Version } from '../../components/version';
@@ -34,6 +34,7 @@ type HeaderProps = PackageInfo & { iconType?: IconType };
 
 export function Header(props: HeaderProps) {
   const { iconType, name, title, version } = props;
+  const hasWriteCapabilites = useCapabilities().write;
   const { toListView } = useLinks();
   // useBreadcrumbs([{ text: PLUGIN.TITLE, href: toListView() }, { text: title }]);
 
@@ -61,7 +62,11 @@ export function Header(props: HeaderProps) {
         <RightColumn>
           <EuiFlexGroup justifyContent="flexEnd">
             <EuiFlexItem grow={false}>
-              <EuiButton iconType="plusInCircle" href={ADD_DATASOURCE_URI}>
+              <EuiButton
+                isDisabled={!hasWriteCapabilites}
+                iconType="plusInCircle"
+                href={ADD_DATASOURCE_URI}
+              >
                 <FormattedMessage
                   id="xpack.ingestManager.epm.addDatasourceButtonText"
                   defaultMessage="Create data source"
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/epm/screens/detail/installation_button.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/epm/screens/detail/installation_button.tsx
index ba9ed9082f041f..8a8afed5570ed9 100644
--- a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/epm/screens/detail/installation_button.tsx
+++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/epm/screens/detail/installation_button.tsx
@@ -6,6 +6,7 @@
 import { EuiButton } from '@elastic/eui';
 import React, { Fragment, useCallback, useMemo, useState } from 'react';
 import { PackageInfo, InstallStatus } from '../../../../types';
+import { useCapabilities } from '../../../../hooks';
 import { useDeletePackage, useGetPackageInstallStatus, useInstallPackage } from '../../hooks';
 import { ConfirmPackageDelete } from './confirm_package_delete';
 import { ConfirmPackageInstall } from './confirm_package_install';
@@ -16,6 +17,7 @@ interface InstallationButtonProps {
 
 export function InstallationButton(props: InstallationButtonProps) {
   const { assets, name, title, version } = props.package;
+  const hasWriteCapabilites = useCapabilities().write;
   const installPackage = useInstallPackage();
   const deletePackage = useDeletePackage();
   const getPackageInstallStatus = useGetPackageInstallStatus();
@@ -86,10 +88,10 @@ export function InstallationButton(props: InstallationButtonProps) {
     />
   );
 
-  return (
+  return hasWriteCapabilites ? (
     <Fragment>
       {isInstalled ? installedButton : installButton}
       {isModalVisible && (isInstalled ? deletionModal : installationModal)}
     </Fragment>
-  );
+  ) : null;
 }
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/agent_details_page/components/details_section.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/agent_details_page/components/details_section.tsx
index e6edeb76f183c9..0844368dc214bd 100644
--- a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/agent_details_page/components/details_section.tsx
+++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/agent_details_page/components/details_section.tsx
@@ -24,7 +24,7 @@ import { useAgentRefresh } from '../hooks';
 import { AgentMetadataFlyout } from './metadata_flyout';
 import { Agent } from '../../../../types';
 import { AgentHealth } from '../../components/agent_health';
-import { useGetOneAgentConfig } from '../../../../hooks';
+import { useCapabilities, useGetOneAgentConfig } from '../../../../hooks';
 import { Loading } from '../../../../components';
 import { ConnectedLink } from '../../components';
 import { AgentUnenrollProvider } from '../../components/agent_unenroll_provider';
@@ -53,6 +53,7 @@ interface Props {
   agent: Agent;
 }
 export const AgentDetailSection: React.FunctionComponent<Props> = ({ agent }) => {
+  const hasWriteCapabilites = useCapabilities().write;
   const metadataFlyout = useFlyout();
   const refreshAgent = useAgentRefresh();
 
@@ -125,7 +126,7 @@ export const AgentDetailSection: React.FunctionComponent<Props> = ({ agent }) =>
           <AgentUnenrollProvider>
             {unenrollAgentsPrompt => (
               <EuiButton
-                disabled={!agent.active}
+                disabled={!hasWriteCapabilites || !agent.active}
                 onClick={() => {
                   unenrollAgentsPrompt([agent.id], 1, refreshAgent);
                 }}
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/agent_list_page/components/enrollment_api_keys/index.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/agent_list_page/components/enrollment_api_keys/index.tsx
index ed564b6f80bf85..19957e7827680b 100644
--- a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/agent_list_page/components/enrollment_api_keys/index.tsx
+++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/agent_list_page/components/enrollment_api_keys/index.tsx
@@ -12,6 +12,7 @@ import { useEnrollmentApiKeys, useEnrollmentApiKey } from './hooks';
 import { ConfirmDeleteModal } from './confirm_delete_modal';
 import { CreateApiKeyForm } from './create_api_key_form';
 import { EnrollmentAPIKey } from '../../../../../types';
+import { useCapabilities } from '../../../../../hooks';
 import { enrollmentAPIKeyRouteService } from '../../../../../services';
 export { useEnrollmentApiKeys, useEnrollmentApiKey } from './hooks';
 
@@ -98,13 +99,14 @@ export const EnrollmentApiKeysTable: React.FunctionComponent<{
 export const CreateApiKeyButton: React.FunctionComponent<{ onChange: () => void }> = ({
   onChange,
 }) => {
+  const hasWriteCapabilites = useCapabilities().write;
   const [isOpen, setIsOpen] = React.useState(false);
 
   return (
     <EuiPopover
       ownFocus
       button={
-        <EuiLink onClick={() => setIsOpen(true)} color="primary">
+        <EuiLink disabled={!hasWriteCapabilites} onClick={() => setIsOpen(true)} color="primary">
           <FormattedMessage
             id="xpack.ingestManager.enrollmentApiKeyList.createNewButton"
             defaultMessage="Create a new key"
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/agent_list_page/index.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/agent_list_page/index.tsx
index 83b1a7661414c9..acf09dedc25f75 100644
--- a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/agent_list_page/index.tsx
+++ b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/sections/fleet/agent_list_page/index.tsx
@@ -34,7 +34,7 @@ import { WithHeaderLayout } from '../../../layouts';
 import { Agent } from '../../../types';
 import {
   usePagination,
-  useCore,
+  useCapabilities,
   useGetAgentConfigs,
   useGetAgents,
   useUrlParams,
@@ -85,6 +85,7 @@ const statusFilters = [
 ] as Array<{ label: string; status: string }>;
 
 const RowActions = React.memo<{ agent: Agent; refresh: () => void }>(({ agent, refresh }) => {
+  const hasWriteCapabilites = useCapabilities().write;
   const DETAILS_URI = useLink(FLEET_AGENT_DETAIL_PATH);
   const [isOpen, setIsOpen] = useState(false);
   const handleCloseMenu = useCallback(() => setIsOpen(false), [setIsOpen]);
@@ -118,6 +119,7 @@ const RowActions = React.memo<{ agent: Agent; refresh: () => void }>(({ agent, r
           <AgentUnenrollProvider>
             {unenrollAgentsPrompt => (
               <EuiContextMenuItem
+                disabled={!hasWriteCapabilites}
                 icon="cross"
                 onClick={() => {
                   unenrollAgentsPrompt([agent.id], 1, () => {
@@ -140,7 +142,7 @@ const RowActions = React.memo<{ agent: Agent; refresh: () => void }>(({ agent, r
 
 export const AgentListPage: React.FunctionComponent<{}> = () => {
   const defaultKuery: string = (useUrlParams().urlParams.kuery as string) || '';
-  const core = useCore();
+  const hasWriteCapabilites = useCapabilities().write;
   // Agent data states
   const [showInactive, setShowInactive] = useState<boolean>(false);
 
@@ -363,7 +365,7 @@ export const AgentListPage: React.FunctionComponent<{}> = () => {
         </h2>
       }
       actions={
-        core.application.capabilities.ingestManager.write ? (
+        hasWriteCapabilites ? (
           <EuiButton fill iconType="plusInCircle" onClick={() => setIsEnrollmentFlyoutOpen(true)}>
             <FormattedMessage
               id="xpack.ingestManager.agentList.addButton"
@@ -432,7 +434,7 @@ export const AgentListPage: React.FunctionComponent<{}> = () => {
           })}
         />
       </EuiFlexItem>
-      {core.application.capabilities.ingestManager.write && (
+      {hasWriteCapabilites && (
         <>
           <EuiFlexItem grow={false}>
             <Divider />
diff --git a/x-pack/plugins/ingest_manager/server/plugin.ts b/x-pack/plugins/ingest_manager/server/plugin.ts
index 2bd7395135433b..c162ea5fadabe8 100644
--- a/x-pack/plugins/ingest_manager/server/plugin.ts
+++ b/x-pack/plugins/ingest_manager/server/plugin.ts
@@ -18,6 +18,10 @@ import { SecurityPluginSetup } from '../../security/server';
 import { PluginSetupContract as FeaturesPluginSetup } from '../../features/server';
 import {
   PLUGIN_ID,
+  OUTPUT_SAVED_OBJECT_TYPE,
+  AGENT_CONFIG_SAVED_OBJECT_TYPE,
+  DATASOURCE_SAVED_OBJECT_TYPE,
+  PACKAGES_SAVED_OBJECT_TYPE,
   AGENT_SAVED_OBJECT_TYPE,
   AGENT_EVENT_SAVED_OBJECT_TYPE,
   ENROLLMENT_API_KEYS_SAVED_OBJECT_TYPE,
@@ -49,6 +53,16 @@ export interface IngestManagerAppContext {
   savedObjects: SavedObjectsServiceStart;
 }
 
+const allSavedObjectTypes = [
+  OUTPUT_SAVED_OBJECT_TYPE,
+  AGENT_CONFIG_SAVED_OBJECT_TYPE,
+  DATASOURCE_SAVED_OBJECT_TYPE,
+  PACKAGES_SAVED_OBJECT_TYPE,
+  AGENT_SAVED_OBJECT_TYPE,
+  AGENT_EVENT_SAVED_OBJECT_TYPE,
+  ENROLLMENT_API_KEYS_SAVED_OBJECT_TYPE,
+];
+
 export class IngestManagerPlugin implements Plugin {
   private config$: Observable<IngestManagerConfigType>;
   private security: SecurityPluginSetup | undefined;
@@ -73,26 +87,18 @@ export class IngestManagerPlugin implements Plugin {
         app: [PLUGIN_ID, 'kibana'],
         privileges: {
           all: {
-            api: [PLUGIN_ID],
+            api: [`${PLUGIN_ID}-read`, `${PLUGIN_ID}-all`],
             savedObject: {
-              all: [
-                AGENT_SAVED_OBJECT_TYPE,
-                AGENT_EVENT_SAVED_OBJECT_TYPE,
-                ENROLLMENT_API_KEYS_SAVED_OBJECT_TYPE,
-              ],
+              all: allSavedObjectTypes,
               read: [],
             },
             ui: ['show', 'read', 'write'],
           },
           read: {
-            api: [PLUGIN_ID],
+            api: [`${PLUGIN_ID}-read`],
             savedObject: {
               all: [],
-              read: [
-                AGENT_SAVED_OBJECT_TYPE,
-                AGENT_EVENT_SAVED_OBJECT_TYPE,
-                ENROLLMENT_API_KEYS_SAVED_OBJECT_TYPE,
-              ],
+              read: allSavedObjectTypes,
             },
             ui: ['show', 'read'],
           },
diff --git a/x-pack/plugins/ingest_manager/server/routes/agent/index.ts b/x-pack/plugins/ingest_manager/server/routes/agent/index.ts
index a23a9fa62adbe6..8a65fa9c50e8b3 100644
--- a/x-pack/plugins/ingest_manager/server/routes/agent/index.ts
+++ b/x-pack/plugins/ingest_manager/server/routes/agent/index.ts
@@ -42,7 +42,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.INFO_PATTERN,
       validate: GetOneAgentRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getAgentHandler
   );
@@ -51,7 +51,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.UPDATE_PATTERN,
       validate: UpdateAgentRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     updateAgentHandler
   );
@@ -60,7 +60,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.DELETE_PATTERN,
       validate: DeleteAgentRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     deleteAgentHandler
   );
@@ -69,7 +69,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.LIST_PATTERN,
       validate: GetAgentsRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getAgentsHandler
   );
@@ -108,7 +108,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.UNENROLL_PATTERN,
       validate: PostAgentUnenrollRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     postAgentsUnenrollHandler
   );
@@ -118,7 +118,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.EVENTS_PATTERN,
       validate: GetOneAgentEventsRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getAgentEventsHandler
   );
@@ -128,7 +128,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.STATUS_PATTERN,
       validate: GetAgentStatusRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getAgentStatusForConfigHandler
   );
diff --git a/x-pack/plugins/ingest_manager/server/routes/agent_config/index.ts b/x-pack/plugins/ingest_manager/server/routes/agent_config/index.ts
index 9481adbbac1953..c3b3c00a9574cd 100644
--- a/x-pack/plugins/ingest_manager/server/routes/agent_config/index.ts
+++ b/x-pack/plugins/ingest_manager/server/routes/agent_config/index.ts
@@ -28,7 +28,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_CONFIG_API_ROUTES.LIST_PATTERN,
       validate: GetAgentConfigsRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getAgentConfigsHandler
   );
@@ -38,7 +38,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_CONFIG_API_ROUTES.INFO_PATTERN,
       validate: GetOneAgentConfigRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getOneAgentConfigHandler
   );
@@ -48,7 +48,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_CONFIG_API_ROUTES.CREATE_PATTERN,
       validate: CreateAgentConfigRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     createAgentConfigHandler
   );
@@ -58,7 +58,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_CONFIG_API_ROUTES.UPDATE_PATTERN,
       validate: UpdateAgentConfigRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     updateAgentConfigHandler
   );
@@ -68,7 +68,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_CONFIG_API_ROUTES.DELETE_PATTERN,
       validate: DeleteAgentConfigsRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     deleteAgentConfigsHandler
   );
@@ -78,7 +78,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_CONFIG_API_ROUTES.FULL_INFO_PATTERN,
       validate: GetFullAgentConfigRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getFullAgentConfig
   );
diff --git a/x-pack/plugins/ingest_manager/server/routes/datasource/index.ts b/x-pack/plugins/ingest_manager/server/routes/datasource/index.ts
index 70ab0027a6907d..412eb17c6d45a3 100644
--- a/x-pack/plugins/ingest_manager/server/routes/datasource/index.ts
+++ b/x-pack/plugins/ingest_manager/server/routes/datasource/index.ts
@@ -24,7 +24,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: DATASOURCE_API_ROUTES.LIST_PATTERN,
       validate: GetDatasourcesRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getDatasourcesHandler
   );
@@ -34,7 +34,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: DATASOURCE_API_ROUTES.INFO_PATTERN,
       validate: GetOneDatasourceRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getOneDatasourceHandler
   );
@@ -44,7 +44,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: DATASOURCE_API_ROUTES.CREATE_PATTERN,
       validate: CreateDatasourceRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     createDatasourceHandler
   );
@@ -54,7 +54,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: DATASOURCE_API_ROUTES.UPDATE_PATTERN,
       validate: UpdateDatasourceRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     updateDatasourceHandler
   );
diff --git a/x-pack/plugins/ingest_manager/server/routes/enrollment_api_key/index.ts b/x-pack/plugins/ingest_manager/server/routes/enrollment_api_key/index.ts
index 8d04333b4a5425..6df5299d30bd44 100644
--- a/x-pack/plugins/ingest_manager/server/routes/enrollment_api_key/index.ts
+++ b/x-pack/plugins/ingest_manager/server/routes/enrollment_api_key/index.ts
@@ -23,7 +23,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: ENROLLMENT_API_KEY_ROUTES.INFO_PATTERN,
       validate: GetOneEnrollmentAPIKeyRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getOneEnrollmentApiKeyHandler
   );
@@ -32,7 +32,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: ENROLLMENT_API_KEY_ROUTES.DELETE_PATTERN,
       validate: DeleteEnrollmentAPIKeyRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     deleteEnrollmentApiKeyHandler
   );
@@ -41,7 +41,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: ENROLLMENT_API_KEY_ROUTES.LIST_PATTERN,
       validate: GetEnrollmentAPIKeysRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getEnrollmentApiKeysHandler
   );
@@ -50,7 +50,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: ENROLLMENT_API_KEY_ROUTES.CREATE_PATTERN,
       validate: PostEnrollmentAPIKeyRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     postEnrollmentApiKeyHandler
   );
diff --git a/x-pack/plugins/ingest_manager/server/routes/epm/index.ts b/x-pack/plugins/ingest_manager/server/routes/epm/index.ts
index 49d9242e67f722..cb9ec5cc532c49 100644
--- a/x-pack/plugins/ingest_manager/server/routes/epm/index.ts
+++ b/x-pack/plugins/ingest_manager/server/routes/epm/index.ts
@@ -26,7 +26,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: EPM_API_ROUTES.CATEGORIES_PATTERN,
       validate: false,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getCategoriesHandler
   );
@@ -35,7 +35,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: EPM_API_ROUTES.LIST_PATTERN,
       validate: GetPackagesRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getListHandler
   );
@@ -44,7 +44,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: EPM_API_ROUTES.FILEPATH_PATTERN,
       validate: GetFileRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getFileHandler
   );
@@ -53,7 +53,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: EPM_API_ROUTES.INFO_PATTERN,
       validate: GetInfoRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getInfoHandler
   );
@@ -62,7 +62,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: EPM_API_ROUTES.INSTALL_PATTERN,
       validate: InstallPackageRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     installPackageHandler
   );
@@ -71,7 +71,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: EPM_API_ROUTES.DELETE_PATTERN,
       validate: DeletePackageRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     deletePackageHandler
   );
diff --git a/x-pack/plugins/ingest_manager/server/routes/setup/index.ts b/x-pack/plugins/ingest_manager/server/routes/setup/index.ts
index a335265c011607..7e09d8dbef1f65 100644
--- a/x-pack/plugins/ingest_manager/server/routes/setup/index.ts
+++ b/x-pack/plugins/ingest_manager/server/routes/setup/index.ts
@@ -18,7 +18,9 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: SETUP_API_ROUTE,
       validate: false,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      // if this route is set to `-all`, a read-only user get a 404 for this route
+      // and will see `Unable to initialize Ingest Manager` in the UI
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     ingestManagerSetupHandler
   );
@@ -27,7 +29,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: FLEET_SETUP_API_ROUTES.INFO_PATTERN,
       validate: GetFleetSetupRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getFleetSetupHandler
   );
@@ -37,7 +39,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: FLEET_SETUP_API_ROUTES.CREATE_PATTERN,
       validate: CreateFleetSetupRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     createFleetSetupHandler
   );
diff --git a/x-pack/test/api_integration/apis/fleet/delete_agent.ts b/x-pack/test/api_integration/apis/fleet/delete_agent.ts
index 5cb069ab22aba5..bddfcfbf6715ec 100644
--- a/x-pack/test/api_integration/apis/fleet/delete_agent.ts
+++ b/x-pack/test/api_integration/apis/fleet/delete_agent.ts
@@ -65,7 +65,7 @@ export default function({ getService }: FtrProviderContext) {
         .delete(`/api/ingest_manager/fleet/agents/agent1`)
         .auth(users.fleet_user.username, users.fleet_user.password)
         .set('kbn-xsrf', 'xx')
-        .expect(403);
+        .expect(404);
 
       expect(apiResponse).not.to.eql({
         success: true,