diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/file/tool/UsersTool.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/file/tool/UsersTool.java
index c394efdd2f3..1a64826210c 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/file/tool/UsersTool.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/file/tool/UsersTool.java
@@ -320,11 +320,14 @@ public class UsersTool extends MultiCommand {
     static void listUsersAndRoles(Terminal terminal, Environment env, String username) throws Exception {
         Settings esusersSettings = Realms.fileRealmSettings(env.settings());
         Path userRolesFilePath = FileUserRolesStore.resolveFile(esusersSettings, env);
-        Set<String> knownRoles = FileRolesStore.parseFileForRoleNames(userRolesFilePath, null);
         Map<String, String[]> userRoles = FileUserRolesStore.parseFile(userRolesFilePath, null);
+
         Path userFilePath = FileUserPasswdStore.resolveFile(esusersSettings, env);
         Set<String> users = FileUserPasswdStore.parseFile(userFilePath, null).keySet();
 
+        Path rolesFilePath = FileRolesStore.resolveFile(env.settings(), env);
+        Set<String> knownRoles = FileRolesStore.parseFileForRoleNames(rolesFilePath, null);
+
         if (username != null) {
             if (!users.contains(username)) {
                 throw new UserError(ExitCodes.NO_USER, "User [" + username + "] doesn't exist");
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/tool/UsersToolTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/tool/UsersToolTests.java
index 9cfa53152d7..5ce65a328cc 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/tool/UsersToolTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/tool/UsersToolTests.java
@@ -351,6 +351,9 @@ public class UsersToolTests extends CommandTestCase {
         assertTrue(output, output.contains("test_admin"));
         assertTrue(output, output.contains("existing_user2"));
         assertTrue(output, output.contains("test_r1"));
+
+        // output should not contain '*' which indicates unknown role
+        assertFalse(output, output.contains("*"));
     }
 
     public void testListSingleUser() throws Exception {
@@ -359,6 +362,9 @@ public class UsersToolTests extends CommandTestCase {
         assertTrue(output, output.contains("test_admin"));
         assertFalse(output, output.contains("existing_user2"));
         assertFalse(output, output.contains("test_r1"));
+
+        // output should not contain '*' which indicates unknown role
+        assertFalse(output, output.contains("*"));
     }
 
     public void testListUnknownRoles() throws Exception {
@@ -382,5 +388,8 @@ public class UsersToolTests extends CommandTestCase {
         assertTrue(output, output.contains("existing_user3"));
         output = execute("list");
         assertTrue(output, output.contains("existing_user3"));
+
+        // output should not contain '*' which indicates unknown role
+        assertFalse(output, output.contains("*"));
     }
 }