diff --git a/plugin/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java b/plugin/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java
index c3a8282e24d..a8436d00cd6 100644
--- a/plugin/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java
+++ b/plugin/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java
@@ -24,10 +24,12 @@ import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.index.query.QueryBuilder;
 import org.elasticsearch.index.query.QueryBuilders;
 import org.elasticsearch.indices.IndicesRequestCache;
+import org.elasticsearch.join.ParentJoinPlugin;
+import org.elasticsearch.join.aggregations.Children;
+import org.elasticsearch.join.aggregations.JoinAggregationBuilders;
+import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.search.aggregations.AggregationBuilders;
-import org.elasticsearch.join.aggregations.JoinAggregationBuilders;
-import org.elasticsearch.join.aggregations.Children;
 import org.elasticsearch.search.aggregations.bucket.global.Global;
 import org.elasticsearch.search.aggregations.bucket.terms.Terms;
 import org.elasticsearch.search.sort.SortBuilders;
@@ -37,12 +39,12 @@ import org.elasticsearch.test.SecurityIntegTestCase;
 import org.elasticsearch.xpack.XPackPlugin;
 import org.elasticsearch.xpack.XPackSettings;
 import org.elasticsearch.xpack.security.authc.support.Hasher;
-import org.elasticsearch.plugins.Plugin;
-import org.elasticsearch.join.ParentJoinPlugin;
 
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
 
 import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.index.query.QueryBuilders.matchAllQuery;
@@ -634,7 +636,7 @@ public class DocumentLevelSecurityTests extends SecurityIntegTestCase {
         assertThat(termsAgg.getBuckets().size(), equalTo(0));
     }
 
-    public void testParentChild() {
+    public void testParentChild_parentField() {
         assertAcked(prepareCreate("test")
                 .setSettings("mapping.single_type", false)
                 .addMapping("parent")
@@ -647,7 +649,35 @@ public class DocumentLevelSecurityTests extends SecurityIntegTestCase {
         client().prepareIndex("test", "child", "c2").setSource("field2", "value2").setParent("p1").get();
         client().prepareIndex("test", "child", "c3").setSource("field3", "value3").setParent("p1").get();
         refresh();
+        verifyParentChild();
+    }
 
+    public void testParentChild_joinField() {
+        assertAcked(prepareCreate("test")
+                .addMapping("doc", "join_field", "type=join,parent=child", "field1", "type=text", "field2", "type=text",
+                        "field3", "type=text"));
+        ensureGreen();
+
+        // index simple data
+        client().prepareIndex("test", "doc", "p1").setSource("join_field", "parent", "field1", "value1").get();
+
+        Map<String, Object> source = new HashMap<>();
+        source.put("field2", "value2");
+        Map<String, Object> joinField = new HashMap<>();
+        joinField.put("name", "child");
+        joinField.put("parent", "p1");
+        source.put("join_field", joinField);
+        client().prepareIndex("test", "doc", "c1").setSource(source).setRouting("p1").get();
+        client().prepareIndex("test", "doc", "c2").setSource(source).setRouting("p1").get();
+        source = new HashMap<>();
+        source.put("field3", "value3");
+        source.put("join_field", joinField);
+        client().prepareIndex("test", "doc", "c3").setSource(source).setRouting("p1").get();
+        refresh();
+        verifyParentChild();
+    }
+
+    private void verifyParentChild() {
         SearchResponse searchResponse = client().prepareSearch("test")
                 .setQuery(hasChildQuery("child", matchAllQuery(), ScoreMode.None))
                 .get();
diff --git a/plugin/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java b/plugin/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
index 1c2ee0ef653..86fe3056617 100644
--- a/plugin/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
+++ b/plugin/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
@@ -26,21 +26,23 @@ import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.index.IndexModule;
 import org.elasticsearch.index.query.QueryBuilders;
 import org.elasticsearch.indices.IndicesRequestCache;
+import org.elasticsearch.join.ParentJoinPlugin;
+import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.search.aggregations.AggregationBuilders;
 import org.elasticsearch.search.aggregations.bucket.terms.Terms;
 import org.elasticsearch.search.sort.SortOrder;
+import org.elasticsearch.test.ESIntegTestCase;
+import org.elasticsearch.test.SecurityIntegTestCase;
 import org.elasticsearch.xpack.XPackPlugin;
 import org.elasticsearch.xpack.XPackSettings;
 import org.elasticsearch.xpack.security.authc.support.Hasher;
-import org.elasticsearch.test.ESIntegTestCase;
-import org.elasticsearch.test.SecurityIntegTestCase;
-import org.elasticsearch.plugins.Plugin;
-import org.elasticsearch.join.ParentJoinPlugin;
 
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
 
 import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.index.query.QueryBuilders.constantScoreQuery;
@@ -48,11 +50,11 @@ import static org.elasticsearch.index.query.QueryBuilders.existsQuery;
 import static org.elasticsearch.index.query.QueryBuilders.matchQuery;
 import static org.elasticsearch.index.query.QueryBuilders.termQuery;
 import static org.elasticsearch.join.query.JoinQueryBuilders.hasChildQuery;
-import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
-import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertHitCount;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoFailures;
+import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
+import static org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
@@ -113,7 +115,7 @@ public class FieldLevelSecurityTests extends SecurityIntegTestCase {
                 "      - names: '*'\n" +
                 "        privileges: [ ALL ]\n" +
                 "        field_security:\n" +
-                "           grant: [ field1 ]\n" +
+                "           grant: [ field1, join_field* ]\n" +
                 "role3:\n" +
                 "  cluster: [ all ]\n" +
                 "  indices:\n" +
@@ -1293,7 +1295,7 @@ public class FieldLevelSecurityTests extends SecurityIntegTestCase {
         assertThat(response.getResponses()[0].getResponse().getFields().terms("field2").size(), equalTo(1L));
     }
 
-    public void testParentChild() {
+    public void testParentChild_parentField() {
         assertAcked(prepareCreate("test")
                 .setSettings("mapping.single_type", false)
                 .addMapping("parent")
@@ -1305,7 +1307,32 @@ public class FieldLevelSecurityTests extends SecurityIntegTestCase {
         client().prepareIndex("test", "child", "c1").setSource("field1", "red").setParent("p1").get();
         client().prepareIndex("test", "child", "c2").setSource("field1", "yellow").setParent("p1").get();
         refresh();
+        verifyParentChild();
+    }
 
+    public void testParentChild_joinField() {
+        assertAcked(prepareCreate("test")
+                .addMapping("doc", "join_field", "type=join,parent=child"));
+        ensureGreen();
+
+        // index simple data
+        client().prepareIndex("test", "doc", "p1").setSource("join_field", "parent").get();
+        Map<String, Object> source = new HashMap<>();
+        source.put("field1", "red");
+        Map<String, Object> joinField = new HashMap<>();
+        joinField.put("name", "child");
+        joinField.put("parent", "p1");
+        source.put("join_field", joinField);
+        client().prepareIndex("test", "doc", "c1").setSource(source).setRouting("p1").get();
+        source = new HashMap<>();
+        source.put("field1", "yellow");
+        source.put("join_field", joinField);
+        client().prepareIndex("test", "doc", "c2").setSource(source).setRouting("p1").get();
+        refresh();
+        verifyParentChild();
+    }
+
+    private void verifyParentChild() {
         SearchResponse searchResponse = client()
                 .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
                 .prepareSearch("test")