diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/Graph.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/Graph.java
index 28ebf053702..a44c990ab80 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/Graph.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/Graph.java
@@ -10,7 +10,6 @@ import java.util.Collection;
 import java.util.Collections;
 
 import org.elasticsearch.action.ActionModule;
-import org.elasticsearch.action.search.SearchAction;
 import org.elasticsearch.common.component.LifecycleComponent;
 import org.elasticsearch.common.inject.Module;
 import org.elasticsearch.common.network.NetworkModule;
@@ -23,8 +22,6 @@ import org.elasticsearch.graph.license.GraphLicensee;
 import org.elasticsearch.graph.license.GraphModule;
 import org.elasticsearch.graph.rest.action.RestGraphAction;
 import org.elasticsearch.plugins.Plugin;
-import org.elasticsearch.search.action.SearchTransportService;
-import org.elasticsearch.shield.Shield;
 import org.elasticsearch.xpack.XPackPlugin;
 
 public class Graph extends Plugin {
@@ -37,11 +34,6 @@ public class Graph extends Plugin {
     public Graph(Settings settings) {
         this.transportClientMode = XPackPlugin.transportClientMode(settings);
         enabled = enabled(settings);
-        // adding the graph privileges to shield
-        if (Shield.enabled(settings)) {
-            Shield.registerIndexPrivilege( "graph", GraphExploreAction.NAME, SearchTransportService.QUERY_ACTION_NAME, 
-                    SearchAction.NAME, SearchTransportService.QUERY_FETCH_ACTION_NAME);
-        }        
     }    
     
     @Override
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Shield.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Shield.java
index 4c0ce5a3c8a..f5b41c6742b 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Shield.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Shield.java
@@ -290,30 +290,6 @@ public class Shield {
         }
     }
 
-    public static void registerClusterPrivilege(String name, String... patterns) {
-        try {
-            ClusterPrivilege.addCustom(name, patterns);
-        } catch (Exception se) {
-            logger.warn("could not register cluster privilege [{}]", name);
-
-            // we need to prevent bubbling the shield exception here for the tests. In the tests
-            // we create multiple nodes in the same jvm and since the custom cluster is a static binding
-            // multiple nodes will try to add the same privileges multiple times.
-        }
-    }
-    
-    public static void registerIndexPrivilege(String name, String... patterns) {
-        try {
-            IndexPrivilege.addCustom(name, patterns);
-        } catch (Exception se) {
-            logger.warn("could not register index privilege [{}]", name);
-
-            // we need to prevent bubbling the shield exception here for the tests. In the tests
-            // we create multiple nodes in the same jvm and since the custom cluster is a static binding
-            // multiple nodes will try to add the same privileges multiple times.
-        }
-    }    
-
     private void addUserSettings(Settings.Builder settingsBuilder) {
         String authHeaderSettingName = ThreadContext.PREFIX + "." + UsernamePasswordToken.BASIC_AUTH_HEADER;
         if (settings.get(authHeaderSettingName) != null) {
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/ClusterPrivilege.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/ClusterPrivilege.java
index 637c7db61f1..f683ca76d20 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/ClusterPrivilege.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/ClusterPrivilege.java
@@ -7,6 +7,7 @@ package org.elasticsearch.shield.authz.privilege;
 
 import dk.brics.automaton.Automaton;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.license.plugin.action.get.GetLicenseAction;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheAction;
 import org.elasticsearch.shield.action.role.ClearRolesCacheAction;
 import org.elasticsearch.shield.support.Automatons;
@@ -17,7 +18,6 @@ import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.CopyOnWriteArraySet;
 import java.util.function.Predicate;
 
-import static org.elasticsearch.shield.support.Automatons.minusAndDeterminize;
 import static org.elasticsearch.shield.support.Automatons.patterns;
 
 /**
@@ -29,16 +29,17 @@ public class ClusterPrivilege extends AbstractAutomatonPrivilege<ClusterPrivileg
     private static final Automaton MANAGE_USER_AUTOMATON = patterns("cluster:admin/xpack/security/user/*", ClearRealmCacheAction.NAME);
     private static final Automaton MANAGE_ROLE_AUTOMATON = patterns("cluster:admin/xpack/security/role/*", ClearRolesCacheAction.NAME);
     private static final Automaton MANAGE_SECURITY_AUTOMATON = patterns("cluster:admin/xpack/security/*");
+    private static final Automaton MANAGE_WATCHER_AUTOMATON = patterns("cluster:admin/xpack/watcher/*", "cluster:monitor/xpack/watcher/*");
+    private static final Automaton MONITOR_WATCHER_AUTOMATON = patterns("cluster:monitor/xpack/watcher/*");
     private static final Automaton MONITOR_AUTOMATON = patterns("cluster:monitor/*");
     private static final Automaton ALL_CLUSTER_AUTOMATON = patterns("cluster:*", "indices:admin/template/*");
-    private static final Automaton MANAGE_AUTOMATON = minusAndDeterminize(ALL_CLUSTER_AUTOMATON, MANAGE_SECURITY_AUTOMATON);
     private static final Automaton TRANSPORT_CLIENT_AUTOMATON = patterns("cluster:monitor/nodes/liveness", "cluster:monitor/state");
     private static final Automaton MANAGE_IDX_TEMPLATE_AUTOMATON = patterns("indices:admin/template/*");
 
     public static final ClusterPrivilege NONE =                  new ClusterPrivilege(Name.NONE,                Automatons.EMPTY);
     public static final ClusterPrivilege ALL =                   new ClusterPrivilege(Name.ALL,                 ALL_CLUSTER_AUTOMATON);
     public static final ClusterPrivilege MONITOR =               new ClusterPrivilege("monitor",                MONITOR_AUTOMATON);
-    public static final ClusterPrivilege MANAGE =                new ClusterPrivilege("manage",                 MANAGE_AUTOMATON);
+    public static final ClusterPrivilege MANAGE =                new ClusterPrivilege("manage",                 ALL_CLUSTER_AUTOMATON);
     public static final ClusterPrivilege MANAGE_IDX_TEMPLATES =
             new ClusterPrivilege("manage_index_templates", MANAGE_IDX_TEMPLATE_AUTOMATON);
     public static final ClusterPrivilege TRANSPORT_CLIENT =      new ClusterPrivilege("transport_client",       TRANSPORT_CLIENT_AUTOMATON);
@@ -46,6 +47,8 @@ public class ClusterPrivilege extends AbstractAutomatonPrivilege<ClusterPrivileg
     public static final ClusterPrivilege MANAGE_ROLES =          new ClusterPrivilege("manage_roles",           MANAGE_ROLE_AUTOMATON);
     public static final ClusterPrivilege MANAGE_SECURITY =       new ClusterPrivilege("manage_security",        MANAGE_SECURITY_AUTOMATON);
     public static final ClusterPrivilege MANAGE_PIPELINE =       new ClusterPrivilege("manage_pipeline", "cluster:admin/ingest/pipeline/*");
+    public static final ClusterPrivilege MONITOR_WATCHER =       new ClusterPrivilege("monitor_watcher",        MONITOR_WATCHER_AUTOMATON);
+    public static final ClusterPrivilege MANAGE_WATCHER =        new ClusterPrivilege("manage_watcher",         MANAGE_WATCHER_AUTOMATON);
 
     public final static Predicate<String> ACTION_MATCHER = ClusterPrivilege.ALL.predicate();
 
@@ -62,6 +65,8 @@ public class ClusterPrivilege extends AbstractAutomatonPrivilege<ClusterPrivileg
         values.add(MANAGE_ROLES);
         values.add(MANAGE_SECURITY);
         values.add(MANAGE_PIPELINE);
+        values.add(MONITOR_WATCHER);
+        values.add(MANAGE_WATCHER);
     }
 
     static Set<ClusterPrivilege> values() {
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java
index 603be891a4e..96ebbb95478 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java
@@ -19,7 +19,10 @@ import org.elasticsearch.action.admin.indices.mapping.get.GetMappingsAction;
 import org.elasticsearch.action.admin.indices.mapping.put.PutMappingAction;
 import org.elasticsearch.action.admin.indices.settings.get.GetSettingsAction;
 import org.elasticsearch.action.admin.indices.validate.query.ValidateQueryAction;
+import org.elasticsearch.action.search.SearchAction;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.graph.action.GraphExploreAction;
+import org.elasticsearch.search.action.SearchTransportService;
 import org.elasticsearch.shield.support.Automatons;
 
 import java.util.Locale;
@@ -50,6 +53,8 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
     private static final Automaton VIEW_METADATA_AUTOMATON = patterns(GetAliasesAction.NAME, AliasesExistAction.NAME,
             GetIndexAction.NAME, IndicesExistsAction.NAME, GetFieldMappingsAction.NAME, GetMappingsAction.NAME,
             ClusterSearchShardsAction.NAME, TypesExistsAction.NAME, ValidateQueryAction.NAME, GetSettingsAction.NAME);
+    private static final Automaton GRAPH_AUTOMATON = patterns(GraphExploreAction.NAME, SearchTransportService.QUERY_ACTION_NAME,
+            SearchAction.NAME, SearchTransportService.QUERY_FETCH_ACTION_NAME);
 
     public static final IndexPrivilege NONE =                new IndexPrivilege(Name.NONE,             Automatons.EMPTY);
     public static final IndexPrivilege ALL =                 new IndexPrivilege(Name.ALL,              ALL_AUTOMATON);
@@ -63,6 +68,7 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
     public static final IndexPrivilege DELETE_INDEX =        new IndexPrivilege("delete_index",        DELETE_INDEX_AUTOMATON);
     public static final IndexPrivilege CREATE_INDEX =        new IndexPrivilege("create_index",        CREATE_INDEX_AUTOMATON);
     public static final IndexPrivilege VIEW_METADATA =       new IndexPrivilege("view_index_metadata", VIEW_METADATA_AUTOMATON);
+    public static final IndexPrivilege GRAPH =               new IndexPrivilege("graph",               GRAPH_AUTOMATON);
 
     private static final Set<IndexPrivilege> values = new CopyOnWriteArraySet<>();
 
@@ -79,6 +85,7 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
         values.add(CREATE);
         values.add(DELETE_INDEX);
         values.add(VIEW_METADATA);
+        values.add(GRAPH);
     }
 
     public static final Predicate<String> ACTION_MATCHER = ALL.predicate();
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/Watcher.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/Watcher.java
index 28dbd3d328b..350abe41746 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/Watcher.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/Watcher.java
@@ -21,7 +21,6 @@ import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.script.ScriptModule;
-import org.elasticsearch.shield.Shield;
 import org.elasticsearch.watcher.actions.WatcherActionModule;
 import org.elasticsearch.watcher.actions.email.service.EmailService;
 import org.elasticsearch.watcher.actions.email.service.InternalEmailService;
@@ -120,12 +119,6 @@ public class Watcher {
         transportClient = "transport".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
         enabled = enabled(settings);
         validAutoCreateIndex(settings);
-
-        // adding the watcher privileges to shield
-        if (Shield.enabled(settings)) {
-            Shield.registerClusterPrivilege("manage_watcher", "cluster:admin/xpack/watcher/*", "cluster:monitor/xpack/watcher/*");
-            Shield.registerClusterPrivilege("monitor_watcher", "cluster:monitor/xpack/watcher/*");
-        }
     }
 
     public Collection<Module> nodeModules() {