From e31ec7eb547b9743c106a9801ebe2c88086f59b9 Mon Sep 17 00:00:00 2001
From: Thomas Watson <w@tson.dk>
Date: Tue, 6 Oct 2020 20:40:28 +0200
Subject: [PATCH] Give user the option to log out if they encounter a 403
 (#75538)

---
 .../core/server/kibana-plugin-core-server.md  |   1 +
 ...in-core-server.onpreresponserender.body.md |  13 ++
 ...core-server.onpreresponserender.headers.md |  13 ++
 ...-plugin-core-server.onpreresponserender.md |  21 +++
 ...plugin-core-server.onpreresponsetoolkit.md |   1 +
 ...core-server.onpreresponsetoolkit.render.md |  13 ++
 src/core/server/http/http_server.mocks.ts     |   1 +
 src/core/server/http/http_service.mock.ts     |   1 +
 src/core/server/http/index.ts                 |   1 +
 .../http/integration_tests/lifecycle.test.ts  |  61 +++++++++
 .../server/http/lifecycle/on_pre_response.ts  |  79 ++++++++---
 src/core/server/index.ts                      |   1 +
 src/core/server/server.api.md                 |   7 +
 test/functional/page_objects/common_page.ts   |   7 +-
 test/functional/page_objects/error_page.ts    |  10 +-
 .../authentication/can_redirect_request.ts    |   6 +-
 .../reset_session_page.test.tsx.snap          |   3 +
 .../authorization/api_authorization.test.ts   |   4 +-
 .../server/authorization/api_authorization.ts |   4 +-
 .../authorization/app_authorization.test.ts   |   2 +-
 .../server/authorization/app_authorization.ts |   2 +-
 .../authorization_service.test.ts             |   3 +
 ...n_service.ts => authorization_service.tsx} |  40 ++++++
 .../authorization/reset_session_page.test.tsx |  27 ++++
 .../authorization/reset_session_page.tsx      | 128 ++++++++++++++++++
 x-pack/plugins/security/server/plugin.ts      |   1 +
 .../server/routes/authorization/index.ts      |   2 +
 .../authorization/reset_session_page.ts       |  28 ++++
 .../on_post_auth_interceptor.ts               |  30 ++--
 .../apis/console/feature_controls.ts          |   4 +-
 .../apis/features/features/features.ts        |   4 +-
 .../apis/metrics_ui/feature_controls.ts       |  10 +-
 .../apis/ml/annotations/create_annotations.ts |   6 +-
 .../apis/ml/annotations/delete_annotations.ts |   6 +-
 .../apis/ml/annotations/get_annotations.ts    |   6 +-
 .../apis/ml/annotations/update_annotations.ts |   6 +-
 .../apis/ml/anomaly_detectors/create.ts       |   8 +-
 .../apis/ml/anomaly_detectors/get.ts          |  24 ++--
 .../apis/ml/calendars/create_calendars.ts     |  12 +-
 .../apis/ml/calendars/delete_calendars.ts     |   8 +-
 .../apis/ml/calendars/get_calendars.ts        |   8 +-
 .../apis/ml/calendars/update_calendars.ts     |  10 +-
 .../apis/ml/data_frame_analytics/delete.ts    |  12 +-
 .../apis/ml/data_frame_analytics/get.ts       |  24 ++--
 .../apis/ml/data_frame_analytics/update.ts    |  12 +-
 .../apis/ml/filters/create_filters.ts         |  12 +-
 .../apis/ml/filters/delete_filters.ts         |   8 +-
 .../apis/ml/filters/get_filters.ts            |  12 +-
 .../apis/ml/filters/update_filters.ts         |   8 +-
 .../apis/ml/job_validation/cardinality.ts     |   6 +-
 .../apis/ml/job_validation/validate.ts        |   6 +-
 .../apis/ml/jobs/close_jobs.ts                |   8 +-
 .../apis/ml/jobs/delete_jobs.ts               |   8 +-
 .../apis/ml/jobs/jobs_exist.ts                |   4 +-
 .../apis/ml/jobs/jobs_summary.ts              |   4 +-
 .../apis/ml/modules/setup_module.ts           |   6 +-
 .../ml/results/get_anomalies_table_data.ts    |   6 +-
 .../apis/ml/results/get_categorizer_stats.ts  |  12 +-
 .../apis/ml/results/get_stopped_partitions.ts |   6 +-
 .../security_solution/feature_controls.ts     |  10 +-
 .../apis/uptime/feature_controls.ts           |  10 +-
 .../basic/tests/feature_controls.ts           |  38 +++---
 .../tests/settings/agent_configuration.ts     |   6 +-
 .../anomaly_detection/no_access_user.ts       |   8 +-
 .../settings/anomaly_detection/read_user.ts   |   4 +-
 .../anomaly_detection/no_access_user.ts       |   8 +-
 .../settings/anomaly_detection/read_user.ts   |   4 +-
 .../tests/encrypted_saved_objects_api.ts      |   2 +-
 .../apps/apm/feature_controls/apm_security.ts |   4 +-
 .../feature_controls/canvas_security.ts       |  24 +---
 .../canvas/feature_controls/canvas_spaces.ts  |   4 +-
 .../feature_controls/dashboard_security.ts    |  16 +--
 .../feature_controls/dev_tools_security.ts    |  12 +-
 .../feature_controls/discover_security.ts     |   4 +-
 .../graph/feature_controls/graph_security.ts  |   4 +-
 .../infrastructure_security.ts                |  13 +-
 .../feature_controls/infrastructure_spaces.ts |   2 +-
 .../infra/feature_controls/logs_security.ts   |  13 +-
 .../infra/feature_controls/logs_spaces.ts     |   2 +-
 .../maps/feature_controls/maps_security.ts    |  13 +-
 .../apps/maps/feature_controls/maps_spaces.ts |   2 +-
 .../apps/ml/permissions/no_ml_access.ts       |   2 +-
 .../feature_controls/timelion_security.ts     |  20 +--
 .../feature_controls/timelion_spaces.ts       |   6 +-
 .../feature_controls/uptime_security.ts       |   4 +-
 .../feature_controls/visualize_security.ts    |   8 +-
 .../functional/page_objects/security_page.ts  |   4 +-
 .../apis/fleet/agents/delete.ts               |   4 +-
 .../apis/fleet/agents/list.ts                 |   2 +-
 .../common/suites/bulk_create.ts              |   6 +-
 .../common/suites/bulk_get.ts                 |   6 +-
 .../common/suites/bulk_update.ts              |   6 +-
 .../common/suites/create.ts                   |   4 +-
 .../common/suites/delete.ts                   |   4 +-
 .../common/suites/export.ts                   |   4 +-
 .../common/suites/get.ts                      |   4 +-
 .../common/suites/import.ts                   |   6 +-
 .../common/suites/resolve_import_errors.ts    |   6 +-
 .../common/suites/update.ts                   |   4 +-
 .../security_and_spaces/apis/bulk_create.ts   |  12 +-
 .../security_and_spaces/apis/bulk_get.ts      |   4 +-
 .../security_and_spaces/apis/bulk_update.ts   |  11 +-
 .../security_and_spaces/apis/import.ts        |  10 +-
 .../apis/resolve_import_errors.ts             |  18 ++-
 .../security_only/apis/bulk_create.ts         |  12 +-
 .../security_only/apis/bulk_get.ts            |   4 +-
 .../security_only/apis/bulk_update.ts         |  11 +-
 .../security_only/apis/import.ts              |  10 +-
 .../apis/resolve_import_errors.ts             |  18 ++-
 .../common/suites/copy_to_space.ts            |  33 +++--
 .../suites/resolve_copy_to_space_conflicts.ts |  41 ++++--
 .../security_and_spaces/apis/copy_to_space.ts |  23 ++--
 .../apis/resolve_copy_to_space_conflicts.ts   |  22 +--
 113 files changed, 863 insertions(+), 445 deletions(-)
 create mode 100644 docs/development/core/server/kibana-plugin-core-server.onpreresponserender.body.md
 create mode 100644 docs/development/core/server/kibana-plugin-core-server.onpreresponserender.headers.md
 create mode 100644 docs/development/core/server/kibana-plugin-core-server.onpreresponserender.md
 create mode 100644 docs/development/core/server/kibana-plugin-core-server.onpreresponsetoolkit.render.md
 create mode 100644 x-pack/plugins/security/server/authorization/__snapshots__/reset_session_page.test.tsx.snap
 rename x-pack/plugins/security/server/authorization/{authorization_service.ts => authorization_service.tsx} (80%)
 create mode 100644 x-pack/plugins/security/server/authorization/reset_session_page.test.tsx
 create mode 100644 x-pack/plugins/security/server/authorization/reset_session_page.tsx
 create mode 100644 x-pack/plugins/security/server/routes/authorization/reset_session_page.ts

diff --git a/docs/development/core/server/kibana-plugin-core-server.md b/docs/development/core/server/kibana-plugin-core-server.md
index be8b7c27495a..a484c856ec01 100644
--- a/docs/development/core/server/kibana-plugin-core-server.md
+++ b/docs/development/core/server/kibana-plugin-core-server.md
@@ -121,6 +121,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 |  [OnPreAuthToolkit](./kibana-plugin-core-server.onpreauthtoolkit.md) | A tool set defining an outcome of OnPreAuth interceptor for incoming request. |
 |  [OnPreResponseExtensions](./kibana-plugin-core-server.onpreresponseextensions.md) | Additional data to extend a response. |
 |  [OnPreResponseInfo](./kibana-plugin-core-server.onpreresponseinfo.md) | Response status code. |
+|  [OnPreResponseRender](./kibana-plugin-core-server.onpreresponserender.md) | Additional data to extend a response when rendering a new body |
 |  [OnPreResponseToolkit](./kibana-plugin-core-server.onpreresponsetoolkit.md) | A tool set defining an outcome of OnPreResponse interceptor for incoming request. |
 |  [OnPreRoutingToolkit](./kibana-plugin-core-server.onpreroutingtoolkit.md) | A tool set defining an outcome of OnPreRouting interceptor for incoming request. |
 |  [OpsMetrics](./kibana-plugin-core-server.opsmetrics.md) | Regroups metrics gathered by all the collectors. This contains metrics about the os/runtime, the kibana process and the http server. |
diff --git a/docs/development/core/server/kibana-plugin-core-server.onpreresponserender.body.md b/docs/development/core/server/kibana-plugin-core-server.onpreresponserender.body.md
new file mode 100644
index 000000000000..ab5b5e7a4f27
--- /dev/null
+++ b/docs/development/core/server/kibana-plugin-core-server.onpreresponserender.body.md
@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [OnPreResponseRender](./kibana-plugin-core-server.onpreresponserender.md) &gt; [body](./kibana-plugin-core-server.onpreresponserender.body.md)
+
+## OnPreResponseRender.body property
+
+the body to use in the response
+
+<b>Signature:</b>
+
+```typescript
+body: string;
+```
diff --git a/docs/development/core/server/kibana-plugin-core-server.onpreresponserender.headers.md b/docs/development/core/server/kibana-plugin-core-server.onpreresponserender.headers.md
new file mode 100644
index 000000000000..100d12f63d16
--- /dev/null
+++ b/docs/development/core/server/kibana-plugin-core-server.onpreresponserender.headers.md
@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [OnPreResponseRender](./kibana-plugin-core-server.onpreresponserender.md) &gt; [headers](./kibana-plugin-core-server.onpreresponserender.headers.md)
+
+## OnPreResponseRender.headers property
+
+additional headers to attach to the response
+
+<b>Signature:</b>
+
+```typescript
+headers?: ResponseHeaders;
+```
diff --git a/docs/development/core/server/kibana-plugin-core-server.onpreresponserender.md b/docs/development/core/server/kibana-plugin-core-server.onpreresponserender.md
new file mode 100644
index 000000000000..0a7ce2d54670
--- /dev/null
+++ b/docs/development/core/server/kibana-plugin-core-server.onpreresponserender.md
@@ -0,0 +1,21 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [OnPreResponseRender](./kibana-plugin-core-server.onpreresponserender.md)
+
+## OnPreResponseRender interface
+
+Additional data to extend a response when rendering a new body
+
+<b>Signature:</b>
+
+```typescript
+export interface OnPreResponseRender 
+```
+
+## Properties
+
+|  Property | Type | Description |
+|  --- | --- | --- |
+|  [body](./kibana-plugin-core-server.onpreresponserender.body.md) | <code>string</code> | the body to use in the response |
+|  [headers](./kibana-plugin-core-server.onpreresponserender.headers.md) | <code>ResponseHeaders</code> | additional headers to attach to the response |
+
diff --git a/docs/development/core/server/kibana-plugin-core-server.onpreresponsetoolkit.md b/docs/development/core/server/kibana-plugin-core-server.onpreresponsetoolkit.md
index 44da09d0cc68..14070038132d 100644
--- a/docs/development/core/server/kibana-plugin-core-server.onpreresponsetoolkit.md
+++ b/docs/development/core/server/kibana-plugin-core-server.onpreresponsetoolkit.md
@@ -17,4 +17,5 @@ export interface OnPreResponseToolkit
 |  Property | Type | Description |
 |  --- | --- | --- |
 |  [next](./kibana-plugin-core-server.onpreresponsetoolkit.next.md) | <code>(responseExtensions?: OnPreResponseExtensions) =&gt; OnPreResponseResult</code> | To pass request to the next handler |
+|  [render](./kibana-plugin-core-server.onpreresponsetoolkit.render.md) | <code>(responseRender: OnPreResponseRender) =&gt; OnPreResponseResult</code> | To override the response with a different body |
 
diff --git a/docs/development/core/server/kibana-plugin-core-server.onpreresponsetoolkit.render.md b/docs/development/core/server/kibana-plugin-core-server.onpreresponsetoolkit.render.md
new file mode 100644
index 000000000000..7dced7fe8dee
--- /dev/null
+++ b/docs/development/core/server/kibana-plugin-core-server.onpreresponsetoolkit.render.md
@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [OnPreResponseToolkit](./kibana-plugin-core-server.onpreresponsetoolkit.md) &gt; [render](./kibana-plugin-core-server.onpreresponsetoolkit.render.md)
+
+## OnPreResponseToolkit.render property
+
+To override the response with a different body
+
+<b>Signature:</b>
+
+```typescript
+render: (responseRender: OnPreResponseRender) => OnPreResponseResult;
+```
diff --git a/src/core/server/http/http_server.mocks.ts b/src/core/server/http/http_server.mocks.ts
index 9deaa73d8aac..6aad232cf42b 100644
--- a/src/core/server/http/http_server.mocks.ts
+++ b/src/core/server/http/http_server.mocks.ts
@@ -175,6 +175,7 @@ type ToolkitMock = jest.Mocked<OnPreResponseToolkit & OnPostAuthToolkit & OnPreR
 
 const createToolkitMock = (): ToolkitMock => {
   return {
+    render: jest.fn(),
     next: jest.fn(),
     rewriteUrl: jest.fn(),
   };
diff --git a/src/core/server/http/http_service.mock.ts b/src/core/server/http/http_service.mock.ts
index f81708145edc..df837dc35505 100644
--- a/src/core/server/http/http_service.mock.ts
+++ b/src/core/server/http/http_service.mock.ts
@@ -198,6 +198,7 @@ const createAuthToolkitMock = (): jest.Mocked<AuthToolkit> => ({
 });
 
 const createOnPreResponseToolkitMock = (): jest.Mocked<OnPreResponseToolkit> => ({
+  render: jest.fn(),
   next: jest.fn(),
 });
 
diff --git a/src/core/server/http/index.ts b/src/core/server/http/index.ts
index 7513e6096608..cb842b2f6026 100644
--- a/src/core/server/http/index.ts
+++ b/src/core/server/http/index.ts
@@ -83,6 +83,7 @@ export { OnPreAuthHandler, OnPreAuthToolkit } from './lifecycle/on_pre_auth';
 export {
   OnPreResponseHandler,
   OnPreResponseToolkit,
+  OnPreResponseRender,
   OnPreResponseExtensions,
   OnPreResponseInfo,
 } from './lifecycle/on_pre_response';
diff --git a/src/core/server/http/integration_tests/lifecycle.test.ts b/src/core/server/http/integration_tests/lifecycle.test.ts
index b9548bf7a8d7..59090d101acb 100644
--- a/src/core/server/http/integration_tests/lifecycle.test.ts
+++ b/src/core/server/http/integration_tests/lifecycle.test.ts
@@ -1286,6 +1286,67 @@ describe('OnPreResponse', () => {
 
     expect(requestBody).toStrictEqual({});
   });
+
+  it('supports rendering a different response body', async () => {
+    const { registerOnPreResponse, server: innerServer, createRouter } = await server.setup(
+      setupDeps
+    );
+    const router = createRouter('/');
+
+    router.get({ path: '/', validate: false }, (context, req, res) => {
+      return res.ok({
+        headers: {
+          'Original-Header-A': 'A',
+        },
+        body: 'original',
+      });
+    });
+
+    registerOnPreResponse((req, res, t) => {
+      return t.render({ body: 'overridden' });
+    });
+
+    await server.start();
+
+    const result = await supertest(innerServer.listener).get('/').expect(200, 'overridden');
+
+    expect(result.header['original-header-a']).toBe('A');
+  });
+
+  it('supports rendering a different response body + headers', async () => {
+    const { registerOnPreResponse, server: innerServer, createRouter } = await server.setup(
+      setupDeps
+    );
+    const router = createRouter('/');
+
+    router.get({ path: '/', validate: false }, (context, req, res) => {
+      return res.ok({
+        headers: {
+          'Original-Header-A': 'A',
+          'Original-Header-B': 'B',
+        },
+        body: 'original',
+      });
+    });
+
+    registerOnPreResponse((req, res, t) => {
+      return t.render({
+        headers: {
+          'Original-Header-A': 'AA',
+          'New-Header-C': 'C',
+        },
+        body: 'overridden',
+      });
+    });
+
+    await server.start();
+
+    const result = await supertest(innerServer.listener).get('/').expect(200, 'overridden');
+
+    expect(result.header['original-header-a']).toBe('AA');
+    expect(result.header['original-header-b']).toBe('B');
+    expect(result.header['new-header-c']).toBe('C');
+  });
 });
 
 describe('run interceptors in the right order', () => {
diff --git a/src/core/server/http/lifecycle/on_pre_response.ts b/src/core/server/http/lifecycle/on_pre_response.ts
index 4d1b53313a51..37dddf4dd476 100644
--- a/src/core/server/http/lifecycle/on_pre_response.ts
+++ b/src/core/server/http/lifecycle/on_pre_response.ts
@@ -17,16 +17,23 @@
  * under the License.
  */
 
-import { Lifecycle, Request, ResponseToolkit as HapiResponseToolkit } from 'hapi';
+import { Lifecycle, Request, ResponseObject, ResponseToolkit as HapiResponseToolkit } from 'hapi';
 import Boom from 'boom';
 import { Logger } from '../../logging';
 
 import { HapiResponseAdapter, KibanaRequest, ResponseHeaders } from '../router';
 
 enum ResultType {
+  render = 'render',
   next = 'next',
 }
 
+interface Render {
+  type: ResultType.render;
+  body: string;
+  headers?: ResponseHeaders;
+}
+
 interface Next {
   type: ResultType.next;
   headers?: ResponseHeaders;
@@ -35,7 +42,18 @@ interface Next {
 /**
  * @internal
  */
-type OnPreResponseResult = Next;
+type OnPreResponseResult = Render | Next;
+
+/**
+ * Additional data to extend a response when rendering a new body
+ * @public
+ */
+export interface OnPreResponseRender {
+  /** additional headers to attach to the response */
+  headers?: ResponseHeaders;
+  /** the body to use in the response */
+  body: string;
+}
 
 /**
  * Additional data to extend a response.
@@ -55,6 +73,12 @@ export interface OnPreResponseInfo {
 }
 
 const preResponseResult = {
+  render(responseRender: OnPreResponseRender): OnPreResponseResult {
+    return { type: ResultType.render, body: responseRender.body, headers: responseRender?.headers };
+  },
+  isRender(result: OnPreResponseResult): result is Render {
+    return result && result.type === ResultType.render;
+  },
   next(responseExtensions?: OnPreResponseExtensions): OnPreResponseResult {
     return { type: ResultType.next, headers: responseExtensions?.headers };
   },
@@ -68,11 +92,14 @@ const preResponseResult = {
  * @public
  */
 export interface OnPreResponseToolkit {
+  /** To override the response with a different body */
+  render: (responseRender: OnPreResponseRender) => OnPreResponseResult;
   /** To pass request to the next handler */
   next: (responseExtensions?: OnPreResponseExtensions) => OnPreResponseResult;
 }
 
 const toolkit: OnPreResponseToolkit = {
+  render: preResponseResult.render,
   next: preResponseResult.next,
 };
 
@@ -106,26 +133,36 @@ export function adoptToHapiOnPreResponseFormat(fn: OnPreResponseHandler, log: Lo
           : response.statusCode;
 
         const result = await fn(KibanaRequest.from(request), { statusCode }, toolkit);
-        if (!preResponseResult.isNext(result)) {
+
+        if (preResponseResult.isNext(result)) {
+          if (result.headers) {
+            if (isBoom(response)) {
+              findHeadersIntersection(response.output.headers, result.headers, log);
+              // hapi wraps all error response in Boom object internally
+              response.output.headers = {
+                ...response.output.headers,
+                ...(result.headers as any), // hapi types don't specify string[] as valid value
+              };
+            } else {
+              findHeadersIntersection(response.headers, result.headers, log);
+              setHeaders(response, result.headers);
+            }
+          }
+        } else if (preResponseResult.isRender(result)) {
+          const overriddenResponse = responseToolkit.response(result.body).code(statusCode);
+
+          const originalHeaders = isBoom(response) ? response.output.headers : response.headers;
+          setHeaders(overriddenResponse, originalHeaders);
+          if (result.headers) {
+            setHeaders(overriddenResponse, result.headers);
+          }
+
+          return overriddenResponse;
+        } else {
           throw new Error(
             `Unexpected result from OnPreResponse. Expected OnPreResponseResult, but given: ${result}.`
           );
         }
-        if (result.headers) {
-          if (isBoom(response)) {
-            findHeadersIntersection(response.output.headers, result.headers, log);
-            // hapi wraps all error response in Boom object internally
-            response.output.headers = {
-              ...response.output.headers,
-              ...(result.headers as any), // hapi types don't specify string[] as valid value
-            };
-          } else {
-            findHeadersIntersection(response.headers, result.headers, log);
-            for (const [headerName, headerValue] of Object.entries(result.headers)) {
-              response.header(headerName, headerValue as any); // hapi types don't specify string[] as valid value
-            }
-          }
-        }
       }
     } catch (error) {
       log.error(error);
@@ -140,6 +177,12 @@ function isBoom(response: any): response is Boom {
   return response instanceof Boom;
 }
 
+function setHeaders(response: ResponseObject, headers: ResponseHeaders) {
+  for (const [headerName, headerValue] of Object.entries(headers)) {
+    response.header(headerName, headerValue as any); // hapi types don't specify string[] as valid value
+  }
+}
+
 // NOTE: responseHeaders contains not a full list of response headers, but only explicitly set on a response object.
 // any headers added by hapi internally, like `content-type`, `content-length`, etc. are not present here.
 function findHeadersIntersection(
diff --git a/src/core/server/index.ts b/src/core/server/index.ts
index 887dc50d5f78..fc091bd17bdf 100644
--- a/src/core/server/index.ts
+++ b/src/core/server/index.ts
@@ -173,6 +173,7 @@ export {
   OnPostAuthToolkit,
   OnPreResponseHandler,
   OnPreResponseToolkit,
+  OnPreResponseRender,
   OnPreResponseExtensions,
   OnPreResponseInfo,
   RedirectResponseOptions,
diff --git a/src/core/server/server.api.md b/src/core/server/server.api.md
index a718ae8a6ff1..a877700a48bc 100644
--- a/src/core/server/server.api.md
+++ b/src/core/server/server.api.md
@@ -1530,9 +1530,16 @@ export interface OnPreResponseInfo {
     statusCode: number;
 }
 
+// @public
+export interface OnPreResponseRender {
+    body: string;
+    headers?: ResponseHeaders;
+}
+
 // @public
 export interface OnPreResponseToolkit {
     next: (responseExtensions?: OnPreResponseExtensions) => OnPreResponseResult;
+    render: (responseRender: OnPreResponseRender) => OnPreResponseResult;
 }
 
 // Warning: (ae-forgotten-export) The symbol "OnPreRoutingResult" needs to be exported by the entry point index.d.ts
diff --git a/test/functional/page_objects/common_page.ts b/test/functional/page_objects/common_page.ts
index 459f596b3025..41667e1f26c8 100644
--- a/test/functional/page_objects/common_page.ts
+++ b/test/functional/page_objects/common_page.ts
@@ -434,7 +434,7 @@ export function CommonPageProvider({ getService, getPageObjects }: FtrProviderCo
       }
     }
 
-    async getBodyText() {
+    async getJsonBodyText() {
       if (await find.existsByCssSelector('a[id=rawdata-tab]', defaultFindTimeout)) {
         // Firefox has 3 tabs and requires navigation to see Raw output
         await find.clickByCssSelector('a[id=rawdata-tab]');
@@ -449,6 +449,11 @@ export function CommonPageProvider({ getService, getPageObjects }: FtrProviderCo
       }
     }
 
+    async getBodyText() {
+      const body = await find.byCssSelector('body');
+      return await body.getVisibleText();
+    }
+
     /**
      * Helper to detect an OSS licensed Kibana
      * Useful for functional testing in cloud environment
diff --git a/test/functional/page_objects/error_page.ts b/test/functional/page_objects/error_page.ts
index 332ce835d0b1..bc256f55155d 100644
--- a/test/functional/page_objects/error_page.ts
+++ b/test/functional/page_objects/error_page.ts
@@ -26,17 +26,11 @@ export function ErrorPageProvider({ getPageObjects }: FtrProviderContext) {
   class ErrorPage {
     public async expectForbidden() {
       const messageText = await common.getBodyText();
-      expect(messageText).to.eql(
-        JSON.stringify({
-          statusCode: 403,
-          error: 'Forbidden',
-          message: 'Forbidden',
-        })
-      );
+      expect(messageText).to.contain('You do not have permission to access the requested page');
     }
 
     public async expectNotFound() {
-      const messageText = await common.getBodyText();
+      const messageText = await common.getJsonBodyText();
       expect(messageText).to.eql(
         JSON.stringify({
           statusCode: 404,
diff --git a/x-pack/plugins/security/server/authentication/can_redirect_request.ts b/x-pack/plugins/security/server/authentication/can_redirect_request.ts
index 7e2b2e5eaf9f..4dd89a4990d6 100644
--- a/x-pack/plugins/security/server/authentication/can_redirect_request.ts
+++ b/x-pack/plugins/security/server/authentication/can_redirect_request.ts
@@ -17,10 +17,14 @@ const KIBANA_VERSION_HEADER = 'kbn-version';
  */
 export function canRedirectRequest(request: KibanaRequest) {
   const headers = request.headers;
+  const route = request.route;
   const hasVersionHeader = headers.hasOwnProperty(KIBANA_VERSION_HEADER);
   const hasXsrfHeader = headers.hasOwnProperty(KIBANA_XSRF_HEADER);
 
-  const isApiRoute = request.route.options.tags.includes(ROUTE_TAG_API);
+  const isApiRoute =
+    route.options.tags.includes(ROUTE_TAG_API) ||
+    (route.path.startsWith('/api/') && route.path !== '/api/security/logout') ||
+    route.path.startsWith('/internal/');
   const isAjaxRequest = hasVersionHeader || hasXsrfHeader;
 
   return !isApiRoute && !isAjaxRequest;
diff --git a/x-pack/plugins/security/server/authorization/__snapshots__/reset_session_page.test.tsx.snap b/x-pack/plugins/security/server/authorization/__snapshots__/reset_session_page.test.tsx.snap
new file mode 100644
index 000000000000..7ff1dbfcb1a4
--- /dev/null
+++ b/x-pack/plugins/security/server/authorization/__snapshots__/reset_session_page.test.tsx.snap
@@ -0,0 +1,3 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`ResetSessionPage renders as expected 1`] = `"<html lang=\\"en\\"><head><link href=\\"/some-css-file.css\\" rel=\\"stylesheet\\"/><link href=\\"/some-other-css-file.css\\" rel=\\"stylesheet\\"/>MockedFonts<link rel=\\"apple-touch-icon\\" sizes=\\"180x180\\" href=\\"/path/to/base/ui/favicons/apple-touch-icon.png\\"/><link rel=\\"icon\\" type=\\"image/png\\" sizes=\\"32x32\\" href=\\"/path/to/base/ui/favicons/favicon-32x32.png\\"/><link rel=\\"icon\\" type=\\"image/png\\" sizes=\\"16x16\\" href=\\"/path/to/base/ui/favicons/favicon-16x16.png\\"/><link rel=\\"manifest\\" href=\\"/path/to/base/ui/favicons/manifest.json\\"/><link rel=\\"mask-icon\\" color=\\"#e8488b\\" href=\\"/path/to/base/ui/favicons/safari-pinned-tab.svg\\"/><link rel=\\"shortcut icon\\" href=\\"/path/to/base/ui/favicons/favicon.ico\\"/><script src=\\"/path/to/base/internal/security/reset_session_page.js\\"></script><meta name=\\"msapplication-config\\" content=\\"/path/to/base/ui/favicons/browserconfig.xml\\"/><meta name=\\"theme-color\\" content=\\"#ffffff\\"/></head><body><div class=\\"euiPage\\" style=\\"min-height:100vh\\"><main class=\\"euiPageBody\\"><div class=\\"euiPanel euiPanel--paddingLarge euiPageContent euiPageContent--verticalCenter euiPageContent--horizontalCenter\\"><div class=\\"euiEmptyPrompt\\"><div data-euiicon-type=\\"alert\\" color=\\"danger\\"></div><div class=\\"euiSpacer euiSpacer--s\\"></div><span class=\\"euiTextColor euiTextColor--subdued\\"><h2 class=\\"euiTitle euiTitle--medium\\">You do not have permission to access the requested page</h2><div class=\\"euiSpacer euiSpacer--m\\"></div><div class=\\"euiText euiText--medium\\"><p>Either go back to the previous page or log in as a different user.</p></div></span><div class=\\"euiSpacer euiSpacer--l\\"></div><div class=\\"euiSpacer euiSpacer--s\\"></div><div class=\\"euiFlexGroup euiFlexGroup--gutterMedium euiFlexGroup--alignItemsCenter euiFlexGroup--justifyContentCenter euiFlexGroup--directionColumn euiFlexGroup--responsive\\"><div class=\\"euiFlexItem euiFlexItem--flexGrowZero\\"><a class=\\"euiButton euiButton--primary euiButton--fill\\" href=\\"/path/to/logout\\" rel=\\"noreferrer\\" data-test-subj=\\"ResetSessionButton\\"><span class=\\"euiButtonContent euiButton__content\\"><span class=\\"euiButton__text\\">Log in as different user</span></span></a></div><div class=\\"euiFlexItem euiFlexItem--flexGrowZero\\"><button class=\\"euiButtonEmpty euiButtonEmpty--primary\\" type=\\"button\\" id=\\"goBackButton\\"><span class=\\"euiButtonContent euiButtonEmpty__content\\"><span class=\\"euiButtonEmpty__text\\">Go back</span></span></button></div></div></div></div></main></div></body></html>"`;
diff --git a/x-pack/plugins/security/server/authorization/api_authorization.test.ts b/x-pack/plugins/security/server/authorization/api_authorization.test.ts
index d4ec9a0e0db5..22336a7db9a3 100644
--- a/x-pack/plugins/security/server/authorization/api_authorization.test.ts
+++ b/x-pack/plugins/security/server/authorization/api_authorization.test.ts
@@ -100,7 +100,7 @@ describe('initAPIAuthorization', () => {
     expect(mockAuthz.mode.useRbacForRequest).toHaveBeenCalledWith(mockRequest);
   });
 
-  test(`protected route when "mode.useRbacForRequest()" returns true and user isn't authorized responds with a 404`, async () => {
+  test(`protected route when "mode.useRbacForRequest()" returns true and user isn't authorized responds with a 403`, async () => {
     const mockHTTPSetup = coreMock.createSetup().http;
     const mockAuthz = authorizationMock.create({ version: '1.0.0-zeta1' });
     initAPIAuthorization(mockHTTPSetup, mockAuthz, loggingSystemMock.create().get());
@@ -129,7 +129,7 @@ describe('initAPIAuthorization', () => {
 
     await postAuthHandler(mockRequest, mockResponse, mockPostAuthToolkit);
 
-    expect(mockResponse.notFound).toHaveBeenCalledTimes(1);
+    expect(mockResponse.forbidden).toHaveBeenCalledTimes(1);
     expect(mockPostAuthToolkit.next).not.toHaveBeenCalled();
     expect(mockCheckPrivileges).toHaveBeenCalledWith({
       kibana: [mockAuthz.actions.api.get('foo')],
diff --git a/x-pack/plugins/security/server/authorization/api_authorization.ts b/x-pack/plugins/security/server/authorization/api_authorization.ts
index 9129330ec947..813ed8d064d9 100644
--- a/x-pack/plugins/security/server/authorization/api_authorization.ts
+++ b/x-pack/plugins/security/server/authorization/api_authorization.ts
@@ -37,7 +37,7 @@ export function initAPIAuthorization(
       return toolkit.next();
     }
 
-    logger.warn(`User not authorized for "${request.url.path}": responding with 404`);
-    return response.notFound();
+    logger.warn(`User not authorized for "${request.url.path}": responding with 403`);
+    return response.forbidden();
   });
 }
diff --git a/x-pack/plugins/security/server/authorization/app_authorization.test.ts b/x-pack/plugins/security/server/authorization/app_authorization.test.ts
index f40d502a9cd7..f035e6eaa365 100644
--- a/x-pack/plugins/security/server/authorization/app_authorization.test.ts
+++ b/x-pack/plugins/security/server/authorization/app_authorization.test.ts
@@ -170,7 +170,7 @@ describe('initAppAuthorization', () => {
 
     await postAuthHandler(mockRequest, mockResponse, mockPostAuthToolkit);
 
-    expect(mockResponse.notFound).toHaveBeenCalledTimes(1);
+    expect(mockResponse.forbidden).toHaveBeenCalledTimes(1);
     expect(mockPostAuthToolkit.next).not.toHaveBeenCalled();
     expect(mockCheckPrivileges).toHaveBeenCalledWith({ kibana: mockAuthz.actions.app.get('foo') });
     expect(mockAuthz.mode.useRbacForRequest).toHaveBeenCalledWith(mockRequest);
diff --git a/x-pack/plugins/security/server/authorization/app_authorization.ts b/x-pack/plugins/security/server/authorization/app_authorization.ts
index 4170fd2cdb38..713266fc3b5c 100644
--- a/x-pack/plugins/security/server/authorization/app_authorization.ts
+++ b/x-pack/plugins/security/server/authorization/app_authorization.ts
@@ -73,6 +73,6 @@ export function initAppAuthorization(
     }
 
     logger.debug(`not authorized for "${appId}"`);
-    return response.notFound();
+    return response.forbidden();
   });
 }
diff --git a/x-pack/plugins/security/server/authorization/authorization_service.test.ts b/x-pack/plugins/security/server/authorization/authorization_service.test.ts
index c00127f7d122..33abc22fdf09 100644
--- a/x-pack/plugins/security/server/authorization/authorization_service.test.ts
+++ b/x-pack/plugins/security/server/authorization/authorization_service.test.ts
@@ -72,6 +72,7 @@ it(`#setup returns exposed services`, () => {
     loggers: loggingSystemMock.create(),
     kibanaIndexName,
     packageVersion: 'some-version',
+    buildNumber: 42,
     features: mockFeaturesSetup,
     getSpacesService: mockGetSpacesService,
     getCurrentUser: jest.fn(),
@@ -130,6 +131,7 @@ describe('#start', () => {
       loggers: loggingSystemMock.create(),
       kibanaIndexName,
       packageVersion: 'some-version',
+      buildNumber: 42,
       features: featuresPluginMock.createSetup(),
       getSpacesService: jest
         .fn()
@@ -201,6 +203,7 @@ it('#stop unsubscribes from license and ES updates.', async () => {
     loggers: loggingSystemMock.create(),
     kibanaIndexName,
     packageVersion: 'some-version',
+    buildNumber: 42,
     features: featuresPluginMock.createSetup(),
     getSpacesService: jest
       .fn()
diff --git a/x-pack/plugins/security/server/authorization/authorization_service.ts b/x-pack/plugins/security/server/authorization/authorization_service.tsx
similarity index 80%
rename from x-pack/plugins/security/server/authorization/authorization_service.ts
rename to x-pack/plugins/security/server/authorization/authorization_service.tsx
index fd3a60fb4d90..9547295af4df 100644
--- a/x-pack/plugins/security/server/authorization/authorization_service.ts
+++ b/x-pack/plugins/security/server/authorization/authorization_service.tsx
@@ -4,8 +4,15 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import querystring from 'querystring';
+
+import React from 'react';
+import { renderToStaticMarkup } from 'react-dom/server';
 import { Subscription, Observable } from 'rxjs';
+import * as UiSharedDeps from '@kbn/ui-shared-deps';
+
 import type { Capabilities as UICapabilities } from '../../../../../src/core/types';
+
 import {
   LoggerFactory,
   KibanaRequest,
@@ -43,6 +50,8 @@ import { APPLICATION_PREFIX } from '../../common/constants';
 import { SecurityLicense } from '../../common/licensing';
 import { CheckPrivilegesWithRequest } from './types';
 import { OnlineStatusRetryScheduler } from '../elasticsearch';
+import { canRedirectRequest } from '../authentication';
+import { ResetSessionPage } from './reset_session_page';
 import { AuthenticatedUser } from '..';
 
 export { Actions } from './actions';
@@ -51,6 +60,7 @@ export { featurePrivilegeIterator } from './privileges';
 
 interface AuthorizationServiceSetupParams {
   packageVersion: string;
+  buildNumber: number;
   http: HttpServiceSetup;
   capabilities: CapabilitiesSetup;
   clusterClient: ILegacyClusterClient;
@@ -89,6 +99,7 @@ export class AuthorizationService {
     http,
     capabilities,
     packageVersion,
+    buildNumber,
     clusterClient,
     license,
     loggers,
@@ -154,6 +165,35 @@ export class AuthorizationService {
     initAPIAuthorization(http, authz, loggers.get('api-authorization'));
     initAppAuthorization(http, authz, loggers.get('app-authorization'), features);
 
+    http.registerOnPreResponse((request, preResponse, toolkit) => {
+      if (preResponse.statusCode === 403 && canRedirectRequest(request)) {
+        const basePath = http.basePath.get(request);
+        const next = `${basePath}${request.url.path}`;
+        const regularBundlePath = `${basePath}/${buildNumber}/bundles`;
+
+        const logoutUrl = http.basePath.prepend(
+          `/api/security/logout?${querystring.stringify({ next })}`
+        );
+        const styleSheetPaths = [
+          `${regularBundlePath}/kbn-ui-shared-deps/${UiSharedDeps.baseCssDistFilename}`,
+          `${regularBundlePath}/kbn-ui-shared-deps/${UiSharedDeps.lightCssDistFilename}`,
+          `${basePath}/node_modules/@kbn/ui-framework/dist/kui_light.css`,
+          `${basePath}/ui/legacy_light_theme.css`,
+        ];
+
+        const body = renderToStaticMarkup(
+          <ResetSessionPage
+            logoutUrl={logoutUrl}
+            styleSheetPaths={styleSheetPaths}
+            basePath={basePath}
+          />
+        );
+
+        return toolkit.render({ body, headers: { 'Content-Security-Policy': http.csp.header } });
+      }
+      return toolkit.next();
+    });
+
     return authz;
   }
 
diff --git a/x-pack/plugins/security/server/authorization/reset_session_page.test.tsx b/x-pack/plugins/security/server/authorization/reset_session_page.test.tsx
new file mode 100644
index 000000000000..5a15f4603cfc
--- /dev/null
+++ b/x-pack/plugins/security/server/authorization/reset_session_page.test.tsx
@@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+import { renderToStaticMarkup } from 'react-dom/server';
+import { ResetSessionPage } from './reset_session_page';
+
+jest.mock('../../../../../src/core/server/rendering/views/fonts', () => ({
+  Fonts: () => <>MockedFonts</>,
+}));
+
+describe('ResetSessionPage', () => {
+  it('renders as expected', async () => {
+    const body = renderToStaticMarkup(
+      <ResetSessionPage
+        logoutUrl="/path/to/logout"
+        styleSheetPaths={['/some-css-file.css', '/some-other-css-file.css']}
+        basePath="/path/to/base"
+      />
+    );
+
+    expect(body).toMatchSnapshot();
+  });
+});
diff --git a/x-pack/plugins/security/server/authorization/reset_session_page.tsx b/x-pack/plugins/security/server/authorization/reset_session_page.tsx
new file mode 100644
index 000000000000..5ab6fe941ae1
--- /dev/null
+++ b/x-pack/plugins/security/server/authorization/reset_session_page.tsx
@@ -0,0 +1,128 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import React from 'react';
+// @ts-expect-error no definitions in component folder
+import { EuiButton, EuiButtonEmpty } from '@elastic/eui/lib/components/button';
+// @ts-expect-error no definitions in component folder
+import { EuiPage, EuiPageBody, EuiPageContent } from '@elastic/eui/lib/components/page';
+// @ts-expect-error no definitions in component folder
+import { EuiEmptyPrompt } from '@elastic/eui/lib/components/empty_prompt';
+// @ts-expect-error no definitions in component folder
+import { appendIconComponentCache } from '@elastic/eui/lib/components/icon/icon';
+// @ts-expect-error no definitions in component folder
+import { icon as EuiIconAlert } from '@elastic/eui/lib/components/icon/assets/alert';
+
+import { FormattedMessage, I18nProvider } from '@kbn/i18n/react';
+import { i18n } from '@kbn/i18n';
+
+// eslint-disable-next-line @kbn/eslint/no-restricted-paths
+import { Fonts } from '../../../../../src/core/server/rendering/views/fonts';
+
+// Preload the alert icon used by `EuiEmptyPrompt` to ensure that it's loaded
+// in advance the first time this page is rendered server-side. If not, the
+// icon svg wouldn't contain any paths the first time the page was rendered.
+appendIconComponentCache({
+  alert: EuiIconAlert,
+});
+
+export function ResetSessionPage({
+  logoutUrl,
+  styleSheetPaths,
+  basePath,
+}: {
+  logoutUrl: string;
+  styleSheetPaths: string[];
+  basePath: string;
+}) {
+  const uiPublicUrl = `${basePath}/ui`;
+  return (
+    <html lang={i18n.getLocale()}>
+      <head>
+        {styleSheetPaths.map((path) => (
+          <link href={path} rel="stylesheet" key={path} />
+        ))}
+        <Fonts url={uiPublicUrl} />
+        <link
+          rel="apple-touch-icon"
+          sizes="180x180"
+          href={`${uiPublicUrl}/favicons/apple-touch-icon.png`}
+        />
+        <link
+          rel="icon"
+          type="image/png"
+          sizes="32x32"
+          href={`${uiPublicUrl}/favicons/favicon-32x32.png`}
+        />
+        <link
+          rel="icon"
+          type="image/png"
+          sizes="16x16"
+          href={`${uiPublicUrl}/favicons/favicon-16x16.png`}
+        />
+        <link rel="manifest" href={`${uiPublicUrl}/favicons/manifest.json`} />
+        <link
+          rel="mask-icon"
+          color="#e8488b"
+          href={`${uiPublicUrl}/favicons/safari-pinned-tab.svg`}
+        />
+        <link rel="shortcut icon" href={`${uiPublicUrl}/favicons/favicon.ico`} />
+        <script src={`${basePath}/internal/security/reset_session_page.js`} />
+        <meta name="msapplication-config" content={`${uiPublicUrl}/favicons/browserconfig.xml`} />
+        <meta name="theme-color" content="#ffffff" />
+      </head>
+      <body>
+        <I18nProvider>
+          <EuiPage style={{ minHeight: '100vh' }}>
+            <EuiPageBody>
+              <EuiPageContent verticalPosition="center" horizontalPosition="center">
+                <EuiEmptyPrompt
+                  iconType="alert"
+                  iconColor="danger"
+                  title={
+                    <h2>
+                      <FormattedMessage
+                        id="xpack.security.resetSession.title"
+                        defaultMessage="You do not have permission to access the requested page"
+                      />
+                    </h2>
+                  }
+                  body={
+                    <p>
+                      <FormattedMessage
+                        id="xpack.security.resetSession.description"
+                        defaultMessage="Either go back to the previous page or log in as a different user."
+                      />
+                    </p>
+                  }
+                  actions={[
+                    <EuiButton
+                      color="primary"
+                      fill
+                      href={logoutUrl}
+                      data-test-subj="ResetSessionButton"
+                    >
+                      <FormattedMessage
+                        id="xpack.security.resetSession.logOutButtonLabel"
+                        defaultMessage="Log in as different user"
+                      />
+                    </EuiButton>,
+                    <EuiButtonEmpty id="goBackButton">
+                      <FormattedMessage
+                        id="xpack.security.resetSession.goBackButtonLabel"
+                        defaultMessage="Go back"
+                      />
+                    </EuiButtonEmpty>,
+                  ]}
+                />
+              </EuiPageContent>
+            </EuiPageBody>
+          </EuiPage>
+        </I18nProvider>
+      </body>
+    </html>
+  );
+}
diff --git a/x-pack/plugins/security/server/plugin.ts b/x-pack/plugins/security/server/plugin.ts
index 7d44160c52e5..5edc4c235727 100644
--- a/x-pack/plugins/security/server/plugin.ts
+++ b/x-pack/plugins/security/server/plugin.ts
@@ -206,6 +206,7 @@ export class Plugin {
       loggers: this.initializerContext.logger,
       kibanaIndexName: legacyConfig.kibana.index,
       packageVersion: this.initializerContext.env.packageInfo.version,
+      buildNumber: this.initializerContext.env.packageInfo.buildNum,
       getSpacesService: this.getSpacesService,
       features,
       getCurrentUser: authc.getCurrentUser,
diff --git a/x-pack/plugins/security/server/routes/authorization/index.ts b/x-pack/plugins/security/server/routes/authorization/index.ts
index 19f2bcccb04a..699ffb5e81ff 100644
--- a/x-pack/plugins/security/server/routes/authorization/index.ts
+++ b/x-pack/plugins/security/server/routes/authorization/index.ts
@@ -6,9 +6,11 @@
 
 import { definePrivilegesRoutes } from './privileges';
 import { defineRolesRoutes } from './roles';
+import { resetSessionPageRoutes } from './reset_session_page';
 import { RouteDefinitionParams } from '..';
 
 export function defineAuthorizationRoutes(params: RouteDefinitionParams) {
   defineRolesRoutes(params);
   definePrivilegesRoutes(params);
+  resetSessionPageRoutes(params);
 }
diff --git a/x-pack/plugins/security/server/routes/authorization/reset_session_page.ts b/x-pack/plugins/security/server/routes/authorization/reset_session_page.ts
new file mode 100644
index 000000000000..1ea128721077
--- /dev/null
+++ b/x-pack/plugins/security/server/routes/authorization/reset_session_page.ts
@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { RouteDefinitionParams } from '..';
+
+export function resetSessionPageRoutes({ httpResources }: RouteDefinitionParams) {
+  httpResources.register(
+    {
+      path: '/internal/security/reset_session_page.js',
+      validate: false,
+      options: { authRequired: false },
+    },
+    (context, request, response) => {
+      return response.renderJs({
+        body: `
+          document.addEventListener('DOMContentLoaded', function(event) {
+            document.getElementById('goBackButton').onclick = function() {
+              window.history.back();
+            }
+          })
+        `,
+      });
+    }
+  );
+}
diff --git a/x-pack/plugins/spaces/server/lib/request_interceptors/on_post_auth_interceptor.ts b/x-pack/plugins/spaces/server/lib/request_interceptors/on_post_auth_interceptor.ts
index e4ca0f8072f9..e3a724e15368 100644
--- a/x-pack/plugins/spaces/server/lib/request_interceptors/on_post_auth_interceptor.ts
+++ b/x-pack/plugins/spaces/server/lib/request_interceptors/on_post_auth_interceptor.ts
@@ -83,22 +83,20 @@ export function initSpacesOnPostAuthRequestInterceptor({
 
         const statusCode = wrappedError.statusCode;
 
-        // If user is not authorized, or the space cannot be found, allow them to select another space
-        // by redirecting to the space selector.
-        const shouldRedirectToSpaceSelector = statusCode === 403 || statusCode === 404;
-
-        if (shouldRedirectToSpaceSelector) {
-          log.debug(
-            `Unable to navigate to space "${spaceId}", redirecting to Space Selector. ${error}`
-          );
-          return response.redirected({
-            headers: {
-              location: getSpaceSelectorUrl(serverBasePath),
-            },
-          });
-        } else {
-          log.error(`Unable to navigate to space "${spaceId}". ${error}`);
-          return response.customError(wrappedError);
+        switch (statusCode) {
+          case 403:
+            log.debug(`User unauthorized for space "${spaceId}". ${error}`);
+            return response.forbidden();
+          case 404:
+            log.debug(
+              `Unable to navigate to space "${spaceId}", redirecting to Space Selector. ${error}`
+            );
+            return response.redirected({
+              headers: { location: getSpaceSelectorUrl(serverBasePath) },
+            });
+          default:
+            log.error(`Unable to navigate to space "${spaceId}". ${error}`);
+            return response.customError(wrappedError);
         }
       }
 
diff --git a/x-pack/test/api_integration/apis/console/feature_controls.ts b/x-pack/test/api_integration/apis/console/feature_controls.ts
index ce926f0d032c..9c87ade6064b 100644
--- a/x-pack/test/api_integration/apis/console/feature_controls.ts
+++ b/x-pack/test/api_integration/apis/console/feature_controls.ts
@@ -158,7 +158,7 @@ export default function securityTests({ getService }: FtrProviderContext) {
           .auth(username, password)
           .set('kbn-xsrf', 'xxx')
           .send()
-          .expect(404);
+          .expect(403);
       } finally {
         await security.role.delete(roleName);
         await security.user.delete(username);
@@ -232,7 +232,7 @@ export default function securityTests({ getService }: FtrProviderContext) {
           .auth(user1.username, user1.password)
           .set('kbn-xsrf', 'xxx')
           .send()
-          .expect(404);
+          .expect(403);
       });
     });
   });
diff --git a/x-pack/test/api_integration/apis/features/features/features.ts b/x-pack/test/api_integration/apis/features/features/features.ts
index e83906be710a..42e3abfa145a 100644
--- a/x-pack/test/api_integration/apis/features/features/features.ts
+++ b/x-pack/test/api_integration/apis/features/features/features.ts
@@ -49,7 +49,7 @@ export default function ({ getService }: FtrProviderContext) {
       });
     });
     describe('without the "global all" privilege', () => {
-      it('should return a 404', async () => {
+      it('should return a 403', async () => {
         const username = 'dashboard_all';
         const roleName = 'dashboard_all';
         const password = `${username}-password`;
@@ -76,7 +76,7 @@ export default function ({ getService }: FtrProviderContext) {
             .get('/api/features')
             .auth(username, password)
             .set('kbn-xsrf', 'foo')
-            .expect(404);
+            .expect(403);
         } finally {
           await security.role.delete(roleName);
           await security.user.delete(username);
diff --git a/x-pack/test/api_integration/apis/metrics_ui/feature_controls.ts b/x-pack/test/api_integration/apis/metrics_ui/feature_controls.ts
index 4731cd0c1464..d2b155984378 100644
--- a/x-pack/test/api_integration/apis/metrics_ui/feature_controls.ts
+++ b/x-pack/test/api_integration/apis/metrics_ui/feature_controls.ts
@@ -23,11 +23,11 @@ export default function ({ getService }: FtrProviderContext) {
   const spaces = getService('spaces');
   const clientFactory = getService('infraOpsGraphQLClientFactory');
 
-  const expectGraphQL404 = (result: any) => {
+  const expectGraphQL403 = (result: any) => {
     expect(result.response).to.be(undefined);
     expect(result.error).not.to.be(undefined);
     expect(result.error).to.have.property('networkError');
-    expect(result.error.networkError).to.have.property('statusCode', 404);
+    expect(result.error.networkError).to.have.property('statusCode', 403);
   };
 
   const expectGraphQLResponse = (result: any) => {
@@ -81,7 +81,7 @@ export default function ({ getService }: FtrProviderContext) {
         });
 
         const graphQLResult = await executeGraphQLQuery(username, password);
-        expectGraphQL404(graphQLResult);
+        expectGraphQL403(graphQLResult);
       } finally {
         await security.role.delete(roleName);
         await security.user.delete(username);
@@ -156,7 +156,7 @@ export default function ({ getService }: FtrProviderContext) {
         });
 
         const graphQLResult = await executeGraphQLQuery(username, password);
-        expectGraphQL404(graphQLResult);
+        expectGraphQL403(graphQLResult);
       } finally {
         await security.role.delete(roleName);
         await security.user.delete(username);
@@ -245,7 +245,7 @@ export default function ({ getService }: FtrProviderContext) {
 
       it(`user_1 can't access APIs in space_3`, async () => {
         const graphQLResult = await executeGraphQLQuery(username, password, space3Id);
-        expectGraphQL404(graphQLResult);
+        expectGraphQL403(graphQLResult);
       });
     });
   });
diff --git a/x-pack/test/api_integration/apis/ml/annotations/create_annotations.ts b/x-pack/test/api_integration/apis/ml/annotations/create_annotations.ts
index 6b8fbe8350a4..ad9d83617589 100644
--- a/x-pack/test/api_integration/apis/ml/annotations/create_annotations.ts
+++ b/x-pack/test/api_integration/apis/ml/annotations/create_annotations.ts
@@ -79,10 +79,10 @@ export default ({ getService }: FtrProviderContext) => {
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
         .send(annotationRequestBody)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
-      expect(body.message).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
+      expect(body.message).to.eql('Forbidden');
     });
   });
 };
diff --git a/x-pack/test/api_integration/apis/ml/annotations/delete_annotations.ts b/x-pack/test/api_integration/apis/ml/annotations/delete_annotations.ts
index 5e55fb616cbf..a4b045ff1260 100644
--- a/x-pack/test/api_integration/apis/ml/annotations/delete_annotations.ts
+++ b/x-pack/test/api_integration/apis/ml/annotations/delete_annotations.ts
@@ -79,10 +79,10 @@ export default ({ getService }: FtrProviderContext) => {
         .delete(`/api/ml/annotations/delete/${annotationIdToDelete}`)
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
-      expect(body.message).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
+      expect(body.message).to.eql('Forbidden');
 
       await ml.api.waitForAnnotationToExist(annotationIdToDelete);
     });
diff --git a/x-pack/test/api_integration/apis/ml/annotations/get_annotations.ts b/x-pack/test/api_integration/apis/ml/annotations/get_annotations.ts
index b720477abb35..0076ee02ca09 100644
--- a/x-pack/test/api_integration/apis/ml/annotations/get_annotations.ts
+++ b/x-pack/test/api_integration/apis/ml/annotations/get_annotations.ts
@@ -120,10 +120,10 @@ export default ({ getService }: FtrProviderContext) => {
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
         .send(requestBody)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
-      expect(body.message).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
+      expect(body.message).to.eql('Forbidden');
     });
   });
 };
diff --git a/x-pack/test/api_integration/apis/ml/annotations/update_annotations.ts b/x-pack/test/api_integration/apis/ml/annotations/update_annotations.ts
index a1e4bcac3180..ebd065733418 100644
--- a/x-pack/test/api_integration/apis/ml/annotations/update_annotations.ts
+++ b/x-pack/test/api_integration/apis/ml/annotations/update_annotations.ts
@@ -124,10 +124,10 @@ export default ({ getService }: FtrProviderContext) => {
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
         .send(annotationUpdateRequestBody)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
-      expect(body.message).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
+      expect(body.message).to.eql('Forbidden');
 
       const updatedAnnotation = await ml.api.getAnnotationById(originalAnnotation._id);
       expect(updatedAnnotation).to.eql(originalAnnotation._source);
diff --git a/x-pack/test/api_integration/apis/ml/anomaly_detectors/create.ts b/x-pack/test/api_integration/apis/ml/anomaly_detectors/create.ts
index 8eb4d7f756fe..3e217ea90324 100644
--- a/x-pack/test/api_integration/apis/ml/anomaly_detectors/create.ts
+++ b/x-pack/test/api_integration/apis/ml/anomaly_detectors/create.ts
@@ -87,11 +87,11 @@ export default ({ getService }: FtrProviderContext) => {
         model_plot_config: { enabled: true },
       },
       expected: {
-        responseCode: 404,
+        responseCode: 403,
         responseBody: {
-          statusCode: 404,
-          error: 'Not Found',
-          message: 'Not Found',
+          statusCode: 403,
+          error: 'Forbidden',
+          message: 'Forbidden',
         },
       },
     },
diff --git a/x-pack/test/api_integration/apis/ml/anomaly_detectors/get.ts b/x-pack/test/api_integration/apis/ml/anomaly_detectors/get.ts
index 58202ea9b35b..fa3e440e86c7 100644
--- a/x-pack/test/api_integration/apis/ml/anomaly_detectors/get.ts
+++ b/x-pack/test/api_integration/apis/ml/anomaly_detectors/get.ts
@@ -86,10 +86,10 @@ export default ({ getService }: FtrProviderContext) => {
           .get(`/api/ml/anomaly_detectors`)
           .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
           .set(COMMON_REQUEST_HEADERS)
-          .expect(404);
+          .expect(403);
 
-        expect(body.error).to.eql('Not Found');
-        expect(body.message).to.eql('Not Found');
+        expect(body.error).to.eql('Forbidden');
+        expect(body.message).to.eql('Forbidden');
       });
     });
 
@@ -124,10 +124,10 @@ export default ({ getService }: FtrProviderContext) => {
           .get(`/api/ml/anomaly_detectors/${jobId}_1`)
           .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
           .set(COMMON_REQUEST_HEADERS)
-          .expect(404);
+          .expect(403);
 
-        expect(body.error).to.eql('Not Found');
-        expect(body.message).to.eql('Not Found');
+        expect(body.error).to.eql('Forbidden');
+        expect(body.message).to.eql('Forbidden');
       });
     });
 
@@ -157,10 +157,10 @@ export default ({ getService }: FtrProviderContext) => {
           .get(`/api/ml/anomaly_detectors/_stats`)
           .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
           .set(COMMON_REQUEST_HEADERS)
-          .expect(404);
+          .expect(403);
 
-        expect(body.error).to.eql('Not Found');
-        expect(body.message).to.eql('Not Found');
+        expect(body.error).to.eql('Forbidden');
+        expect(body.message).to.eql('Forbidden');
       });
     });
 
@@ -209,10 +209,10 @@ export default ({ getService }: FtrProviderContext) => {
           .get(`/api/ml/anomaly_detectors/${jobId}_1/_stats`)
           .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
           .set(COMMON_REQUEST_HEADERS)
-          .expect(404);
+          .expect(403);
 
-        expect(body.error).to.eql('Not Found');
-        expect(body.message).to.eql('Not Found');
+        expect(body.error).to.eql('Forbidden');
+        expect(body.message).to.eql('Forbidden');
       });
     });
   });
diff --git a/x-pack/test/api_integration/apis/ml/calendars/create_calendars.ts b/x-pack/test/api_integration/apis/ml/calendars/create_calendars.ts
index e351eafea6e7..8acc053e13b5 100644
--- a/x-pack/test/api_integration/apis/ml/calendars/create_calendars.ts
+++ b/x-pack/test/api_integration/apis/ml/calendars/create_calendars.ts
@@ -60,10 +60,10 @@ export default ({ getService }: FtrProviderContext) => {
         .auth(USER.ML_VIEWER, ml.securityCommon.getPasswordForUser(USER.ML_VIEWER))
         .set(COMMON_REQUEST_HEADERS)
         .send(requestBody)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
-      expect(body.message).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
+      expect(body.message).to.eql('Forbidden');
       await ml.api.waitForCalendarNotToExist(calendarId);
     });
 
@@ -73,10 +73,10 @@ export default ({ getService }: FtrProviderContext) => {
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
         .send(requestBody)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
-      expect(body.message).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
+      expect(body.message).to.eql('Forbidden');
       await ml.api.waitForCalendarNotToExist(calendarId);
     });
   });
diff --git a/x-pack/test/api_integration/apis/ml/calendars/delete_calendars.ts b/x-pack/test/api_integration/apis/ml/calendars/delete_calendars.ts
index 575c7c99dde1..703e33601690 100644
--- a/x-pack/test/api_integration/apis/ml/calendars/delete_calendars.ts
+++ b/x-pack/test/api_integration/apis/ml/calendars/delete_calendars.ts
@@ -56,9 +56,9 @@ export default ({ getService }: FtrProviderContext) => {
         .delete(`/api/ml/calendars/${calendarId}`)
         .auth(USER.ML_VIEWER, ml.securityCommon.getPasswordForUser(USER.ML_VIEWER))
         .set(COMMON_REQUEST_HEADERS)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
       await ml.api.waitForCalendarToExist(calendarId);
     });
 
@@ -67,9 +67,9 @@ export default ({ getService }: FtrProviderContext) => {
         .delete(`/api/ml/calendars/${calendarId}`)
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
       await ml.api.waitForCalendarToExist(calendarId);
     });
 
diff --git a/x-pack/test/api_integration/apis/ml/calendars/get_calendars.ts b/x-pack/test/api_integration/apis/ml/calendars/get_calendars.ts
index a5e65028196f..07a3908fab3f 100644
--- a/x-pack/test/api_integration/apis/ml/calendars/get_calendars.ts
+++ b/x-pack/test/api_integration/apis/ml/calendars/get_calendars.ts
@@ -73,8 +73,8 @@ export default ({ getService }: FtrProviderContext) => {
           .get(`/api/ml/calendars`)
           .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
           .set(COMMON_REQUEST_HEADERS)
-          .expect(404);
-        expect(body.error).to.eql('Not Found');
+          .expect(403);
+        expect(body.error).to.eql('Forbidden');
       });
     });
 
@@ -126,9 +126,9 @@ export default ({ getService }: FtrProviderContext) => {
           .get(`/api/ml/calendars/${calendarId}`)
           .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
           .set(COMMON_REQUEST_HEADERS)
-          .expect(404);
+          .expect(403);
 
-        expect(body.error).to.eql('Not Found');
+        expect(body.error).to.eql('Forbidden');
       });
     });
 
diff --git a/x-pack/test/api_integration/apis/ml/calendars/update_calendars.ts b/x-pack/test/api_integration/apis/ml/calendars/update_calendars.ts
index 69a8eb3e06ee..385e916a4263 100644
--- a/x-pack/test/api_integration/apis/ml/calendars/update_calendars.ts
+++ b/x-pack/test/api_integration/apis/ml/calendars/update_calendars.ts
@@ -73,13 +73,13 @@ export default ({ getService }: FtrProviderContext) => {
       );
     });
 
-    it('should not allow to update calendar for user without required permission ', async () => {
+    it('should not allow to update calendar for user without required permission', async () => {
       await supertest
         .put(`/api/ml/calendars/${calendarId}`)
         .auth(USER.ML_VIEWER, ml.securityCommon.getPasswordForUser(USER.ML_VIEWER))
         .set(COMMON_REQUEST_HEADERS)
         .send(updateCalendarRequestBody)
-        .expect(404);
+        .expect(403);
     });
 
     it('should not allow to update calendar for unauthorized user', async () => {
@@ -88,13 +88,13 @@ export default ({ getService }: FtrProviderContext) => {
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
         .send(updateCalendarRequestBody)
-        .expect(404);
+        .expect(403);
     });
 
-    it('should return error if invalid calendarId ', async () => {
+    it('should return error if invalid calendarId', async () => {
       await supertest
         .put(`/api/ml/calendars/calendar_id_dne`)
-        .auth(USER.ML_VIEWER, ml.securityCommon.getPasswordForUser(USER.ML_VIEWER))
+        .auth(USER.ML_POWERUSER, ml.securityCommon.getPasswordForUser(USER.ML_POWERUSER))
         .set(COMMON_REQUEST_HEADERS)
         .send(updateCalendarRequestBody)
         .expect(404);
diff --git a/x-pack/test/api_integration/apis/ml/data_frame_analytics/delete.ts b/x-pack/test/api_integration/apis/ml/data_frame_analytics/delete.ts
index 53a9d9e790d6..b624ea8561bd 100644
--- a/x-pack/test/api_integration/apis/ml/data_frame_analytics/delete.ts
+++ b/x-pack/test/api_integration/apis/ml/data_frame_analytics/delete.ts
@@ -92,10 +92,10 @@ export default ({ getService }: FtrProviderContext) => {
           .delete(`/api/ml/data_frame/analytics/${analyticsId}`)
           .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
           .set(COMMON_REQUEST_HEADERS)
-          .expect(404);
+          .expect(403);
 
-        expect(body.error).to.eql('Not Found');
-        expect(body.message).to.eql('Not Found');
+        expect(body.error).to.eql('Forbidden');
+        expect(body.message).to.eql('Forbidden');
         await ml.api.waitForDataFrameAnalyticsJobToExist(analyticsId);
       });
 
@@ -105,10 +105,10 @@ export default ({ getService }: FtrProviderContext) => {
           .delete(`/api/ml/data_frame/analytics/${analyticsId}`)
           .auth(USER.ML_VIEWER, ml.securityCommon.getPasswordForUser(USER.ML_VIEWER))
           .set(COMMON_REQUEST_HEADERS)
-          .expect(404);
+          .expect(403);
 
-        expect(body.error).to.eql('Not Found');
-        expect(body.message).to.eql('Not Found');
+        expect(body.error).to.eql('Forbidden');
+        expect(body.message).to.eql('Forbidden');
         await ml.api.waitForDataFrameAnalyticsJobToExist(analyticsId);
       });
 
diff --git a/x-pack/test/api_integration/apis/ml/data_frame_analytics/get.ts b/x-pack/test/api_integration/apis/ml/data_frame_analytics/get.ts
index ebae5a80c233..a11f8ca3947c 100644
--- a/x-pack/test/api_integration/apis/ml/data_frame_analytics/get.ts
+++ b/x-pack/test/api_integration/apis/ml/data_frame_analytics/get.ts
@@ -109,10 +109,10 @@ export default ({ getService }: FtrProviderContext) => {
           .get(`/api/ml/data_frame/analytics`)
           .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
           .set(COMMON_REQUEST_HEADERS)
-          .expect(404);
+          .expect(403);
 
-        expect(body.error).to.eql('Not Found');
-        expect(body.message).to.eql('Not Found');
+        expect(body.error).to.eql('Forbidden');
+        expect(body.message).to.eql('Forbidden');
       });
     });
 
@@ -147,10 +147,10 @@ export default ({ getService }: FtrProviderContext) => {
           .get(`/api/ml/data_frame/analytics/${jobId}_1`)
           .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
           .set(COMMON_REQUEST_HEADERS)
-          .expect(404);
+          .expect(403);
 
-        expect(body.error).to.eql('Not Found');
-        expect(body.message).to.eql('Not Found');
+        expect(body.error).to.eql('Forbidden');
+        expect(body.message).to.eql('Forbidden');
       });
     });
 
@@ -180,10 +180,10 @@ export default ({ getService }: FtrProviderContext) => {
           .get(`/api/ml/data_frame/analytics/_stats`)
           .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
           .set(COMMON_REQUEST_HEADERS)
-          .expect(404);
+          .expect(403);
 
-        expect(body.error).to.eql('Not Found');
-        expect(body.message).to.eql('Not Found');
+        expect(body.error).to.eql('Forbidden');
+        expect(body.message).to.eql('Forbidden');
       });
     });
 
@@ -230,9 +230,9 @@ export default ({ getService }: FtrProviderContext) => {
           .get(`/api/ml/data_frame/analytics/${jobId}_1/_stats`)
           .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
           .set(COMMON_REQUEST_HEADERS)
-          .expect(404);
-        expect(body.error).to.eql('Not Found');
-        expect(body.message).to.eql('Not Found');
+          .expect(403);
+        expect(body.error).to.eql('Forbidden');
+        expect(body.message).to.eql('Forbidden');
       });
     });
   });
diff --git a/x-pack/test/api_integration/apis/ml/data_frame_analytics/update.ts b/x-pack/test/api_integration/apis/ml/data_frame_analytics/update.ts
index 7aa5c180c5a0..252bfd780e0d 100644
--- a/x-pack/test/api_integration/apis/ml/data_frame_analytics/update.ts
+++ b/x-pack/test/api_integration/apis/ml/data_frame_analytics/update.ts
@@ -222,10 +222,10 @@ export default ({ getService }: FtrProviderContext) => {
           .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
           .set(COMMON_REQUEST_HEADERS)
           .send(requestBody)
-          .expect(404);
+          .expect(403);
 
-        expect(body.error).to.eql('Not Found');
-        expect(body.message).to.eql('Not Found');
+        expect(body.error).to.eql('Forbidden');
+        expect(body.message).to.eql('Forbidden');
 
         const fetchedJob = await getDFAJob(analyticsId);
         // Description should not have changed
@@ -243,10 +243,10 @@ export default ({ getService }: FtrProviderContext) => {
           .auth(USER.ML_VIEWER, ml.securityCommon.getPasswordForUser(USER.ML_VIEWER))
           .set(COMMON_REQUEST_HEADERS)
           .send(requestBody)
-          .expect(404);
+          .expect(403);
 
-        expect(body.error).to.eql('Not Found');
-        expect(body.message).to.eql('Not Found');
+        expect(body.error).to.eql('Forbidden');
+        expect(body.message).to.eql('Forbidden');
 
         const fetchedJob = await getDFAJob(analyticsId);
         // Description should not have changed
diff --git a/x-pack/test/api_integration/apis/ml/filters/create_filters.ts b/x-pack/test/api_integration/apis/ml/filters/create_filters.ts
index 598fab2cb7fa..b7d0a54c1cdc 100644
--- a/x-pack/test/api_integration/apis/ml/filters/create_filters.ts
+++ b/x-pack/test/api_integration/apis/ml/filters/create_filters.ts
@@ -38,10 +38,10 @@ export default ({ getService }: FtrProviderContext) => {
         items: ['104.236.210.185'],
       },
       expected: {
-        responseCode: 404,
+        responseCode: 403,
         responseBody: {
-          error: 'Not Found',
-          message: 'Not Found',
+          error: 'Forbidden',
+          message: 'Forbidden',
         },
       },
     },
@@ -54,10 +54,10 @@ export default ({ getService }: FtrProviderContext) => {
         items: ['104.236.210.185'],
       },
       expected: {
-        responseCode: 404,
+        responseCode: 403,
         responseBody: {
-          error: 'Not Found',
-          message: 'Not Found',
+          error: 'Forbidden',
+          message: 'Forbidden',
         },
       },
     },
diff --git a/x-pack/test/api_integration/apis/ml/filters/delete_filters.ts b/x-pack/test/api_integration/apis/ml/filters/delete_filters.ts
index 7a55c2308eb9..cfcdd6055516 100644
--- a/x-pack/test/api_integration/apis/ml/filters/delete_filters.ts
+++ b/x-pack/test/api_integration/apis/ml/filters/delete_filters.ts
@@ -64,9 +64,9 @@ export default ({ getService }: FtrProviderContext) => {
         .delete(`/api/ml/filters/${filterId}`)
         .auth(USER.ML_VIEWER, ml.securityCommon.getPasswordForUser(USER.ML_VIEWER))
         .set(COMMON_REQUEST_HEADERS)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
       await ml.api.waitForFilterToExist(filterId);
     });
 
@@ -76,9 +76,9 @@ export default ({ getService }: FtrProviderContext) => {
         .delete(`/api/ml/filters/${filterId}`)
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
       await ml.api.waitForFilterToExist(filterId);
     });
 
diff --git a/x-pack/test/api_integration/apis/ml/filters/get_filters.ts b/x-pack/test/api_integration/apis/ml/filters/get_filters.ts
index 4a3589634ded..6f0060359739 100644
--- a/x-pack/test/api_integration/apis/ml/filters/get_filters.ts
+++ b/x-pack/test/api_integration/apis/ml/filters/get_filters.ts
@@ -55,9 +55,9 @@ export default ({ getService }: FtrProviderContext) => {
         .get(`/api/ml/filters`)
         .auth(USER.ML_VIEWER, ml.securityCommon.getPasswordForUser(USER.ML_VIEWER))
         .set(COMMON_REQUEST_HEADERS)
-        .expect(404);
-      expect(body.error).to.eql('Not Found');
-      expect(body.message).to.eql('Not Found');
+        .expect(403);
+      expect(body.error).to.eql('Forbidden');
+      expect(body.message).to.eql('Forbidden');
     });
 
     it(`should not allow to retrieve filters for unauthorized user`, async () => {
@@ -65,10 +65,10 @@ export default ({ getService }: FtrProviderContext) => {
         .get(`/api/ml/filters`)
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
-      expect(body.message).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
+      expect(body.message).to.eql('Forbidden');
     });
 
     it(`should fetch single filter by id`, async () => {
diff --git a/x-pack/test/api_integration/apis/ml/filters/update_filters.ts b/x-pack/test/api_integration/apis/ml/filters/update_filters.ts
index 6f421ad120b5..8f1b104c5c8b 100644
--- a/x-pack/test/api_integration/apis/ml/filters/update_filters.ts
+++ b/x-pack/test/api_integration/apis/ml/filters/update_filters.ts
@@ -72,10 +72,10 @@ export default ({ getService }: FtrProviderContext) => {
         .auth(USER.ML_VIEWER, ml.securityCommon.getPasswordForUser(USER.ML_VIEWER))
         .set(COMMON_REQUEST_HEADERS)
         .send(updateFilterRequestBody)
-        .expect(404);
+        .expect(403);
 
       // response should return not found
-      expect(body.error).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
 
       // and the filter should not be updated
       const response = await ml.api.getFilter(filterId);
@@ -92,9 +92,9 @@ export default ({ getService }: FtrProviderContext) => {
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
         .send(updateFilterRequestBody)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
 
       const response = await ml.api.getFilter(filterId);
       const updatedFilter = response.body.filters[0];
diff --git a/x-pack/test/api_integration/apis/ml/job_validation/cardinality.ts b/x-pack/test/api_integration/apis/ml/job_validation/cardinality.ts
index ddf752bd876c..2e38c5317c38 100644
--- a/x-pack/test/api_integration/apis/ml/job_validation/cardinality.ts
+++ b/x-pack/test/api_integration/apis/ml/job_validation/cardinality.ts
@@ -162,10 +162,10 @@ export default ({ getService }: FtrProviderContext) => {
         .auth(USER.ML_VIEWER, ml.securityCommon.getPasswordForUser(USER.ML_VIEWER))
         .set(COMMON_REQUEST_HEADERS)
         .send(requestBody)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
-      expect(body.message).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
+      expect(body.message).to.eql('Forbidden');
     });
   });
 };
diff --git a/x-pack/test/api_integration/apis/ml/job_validation/validate.ts b/x-pack/test/api_integration/apis/ml/job_validation/validate.ts
index dab69498efc7..01a34f110ed1 100644
--- a/x-pack/test/api_integration/apis/ml/job_validation/validate.ts
+++ b/x-pack/test/api_integration/apis/ml/job_validation/validate.ts
@@ -379,10 +379,10 @@ export default ({ getService }: FtrProviderContext) => {
         .auth(USER.ML_VIEWER, ml.securityCommon.getPasswordForUser(USER.ML_VIEWER))
         .set(COMMON_REQUEST_HEADERS)
         .send(requestBody)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
-      expect(body.message).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
+      expect(body.message).to.eql('Forbidden');
     });
   });
 };
diff --git a/x-pack/test/api_integration/apis/ml/jobs/close_jobs.ts b/x-pack/test/api_integration/apis/ml/jobs/close_jobs.ts
index 0b7f9cf927d2..24f145cbf3b5 100644
--- a/x-pack/test/api_integration/apis/ml/jobs/close_jobs.ts
+++ b/x-pack/test/api_integration/apis/ml/jobs/close_jobs.ts
@@ -63,8 +63,8 @@ export default ({ getService }: FtrProviderContext) => {
       },
       // Note that the jobs and datafeeds are loaded async so the actual error message is not deterministic.
       expected: {
-        responseCode: 404,
-        error: 'Not Found',
+        responseCode: 403,
+        error: 'Forbidden',
       },
     },
     {
@@ -75,8 +75,8 @@ export default ({ getService }: FtrProviderContext) => {
       },
       // Note that the jobs and datafeeds are loaded async so the actual error message is not deterministic.
       expected: {
-        responseCode: 404,
-        error: 'Not Found',
+        responseCode: 403,
+        error: 'Forbidden',
       },
     },
   ];
diff --git a/x-pack/test/api_integration/apis/ml/jobs/delete_jobs.ts b/x-pack/test/api_integration/apis/ml/jobs/delete_jobs.ts
index e8f733d2fc6a..00acf89efd1c 100644
--- a/x-pack/test/api_integration/apis/ml/jobs/delete_jobs.ts
+++ b/x-pack/test/api_integration/apis/ml/jobs/delete_jobs.ts
@@ -44,8 +44,8 @@ export default ({ getService }: FtrProviderContext) => {
       },
       // Note that the jobs and datafeeds are loaded async so the actual error message is not deterministic.
       expected: {
-        responseCode: 404,
-        error: 'Not Found',
+        responseCode: 403,
+        error: 'Forbidden',
       },
     },
     {
@@ -56,8 +56,8 @@ export default ({ getService }: FtrProviderContext) => {
       },
       // Note that the jobs and datafeeds are loaded async so the actual error message is not deterministic.
       expected: {
-        responseCode: 404,
-        error: 'Not Found',
+        responseCode: 403,
+        error: 'Forbidden',
       },
     },
   ];
diff --git a/x-pack/test/api_integration/apis/ml/jobs/jobs_exist.ts b/x-pack/test/api_integration/apis/ml/jobs/jobs_exist.ts
index c48376b6a14f..ef660f4eefb0 100644
--- a/x-pack/test/api_integration/apis/ml/jobs/jobs_exist.ts
+++ b/x-pack/test/api_integration/apis/ml/jobs/jobs_exist.ts
@@ -58,8 +58,8 @@ export default ({ getService }: FtrProviderContext) => {
         jobIds: Object.keys(responseBody),
       },
       expected: {
-        responseCode: 404,
-        error: 'Not Found',
+        responseCode: 403,
+        error: 'Forbidden',
       },
     },
   ];
diff --git a/x-pack/test/api_integration/apis/ml/jobs/jobs_summary.ts b/x-pack/test/api_integration/apis/ml/jobs/jobs_summary.ts
index f7ff5b118f6a..f85b73135550 100644
--- a/x-pack/test/api_integration/apis/ml/jobs/jobs_summary.ts
+++ b/x-pack/test/api_integration/apis/ml/jobs/jobs_summary.ts
@@ -160,8 +160,8 @@ export default ({ getService }: FtrProviderContext) => {
       requestBody: {},
       // Note that the jobs and datafeeds are loaded async so the actual error message is not deterministic.
       expected: {
-        responseCode: 404,
-        error: 'Not Found',
+        responseCode: 403,
+        error: 'Forbidden',
       },
     },
   ];
diff --git a/x-pack/test/api_integration/apis/ml/modules/setup_module.ts b/x-pack/test/api_integration/apis/ml/modules/setup_module.ts
index bc7fc691bc60..fcf4c8d0c328 100644
--- a/x-pack/test/api_integration/apis/ml/modules/setup_module.ts
+++ b/x-pack/test/api_integration/apis/ml/modules/setup_module.ts
@@ -481,9 +481,9 @@ export default ({ getService }: FtrProviderContext) => {
         startDatafeed: false,
       },
       expected: {
-        responseCode: 404,
-        error: 'Not Found',
-        message: 'Not Found',
+        responseCode: 403,
+        error: 'Forbidden',
+        message: 'Forbidden',
       },
     },
   ];
diff --git a/x-pack/test/api_integration/apis/ml/results/get_anomalies_table_data.ts b/x-pack/test/api_integration/apis/ml/results/get_anomalies_table_data.ts
index d1d7d2e8d78c..b485dfb15d64 100644
--- a/x-pack/test/api_integration/apis/ml/results/get_anomalies_table_data.ts
+++ b/x-pack/test/api_integration/apis/ml/results/get_anomalies_table_data.ts
@@ -123,10 +123,10 @@ export default ({ getService }: FtrProviderContext) => {
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
         .send(requestBody)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.eql('Not Found');
-      expect(body.message).to.eql('Not Found');
+      expect(body.error).to.eql('Forbidden');
+      expect(body.message).to.eql('Forbidden');
     });
   });
 };
diff --git a/x-pack/test/api_integration/apis/ml/results/get_categorizer_stats.ts b/x-pack/test/api_integration/apis/ml/results/get_categorizer_stats.ts
index d2a0625cf4e2..bc89ed7b1c9a 100644
--- a/x-pack/test/api_integration/apis/ml/results/get_categorizer_stats.ts
+++ b/x-pack/test/api_integration/apis/ml/results/get_categorizer_stats.ts
@@ -96,10 +96,10 @@ export default ({ getService }: FtrProviderContext) => {
         .get(`/api/ml/results/${jobId}/categorizer_stats`)
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.be('Not Found');
-      expect(body.message).to.be('Not Found');
+      expect(body.error).to.be('Forbidden');
+      expect(body.message).to.be('Forbidden');
     });
 
     it('should fetch all the categorizer stats with per-partition value for job id', async () => {
@@ -139,10 +139,10 @@ export default ({ getService }: FtrProviderContext) => {
         .query({ partitionByValue: 'sample_web_logs' })
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .set(COMMON_REQUEST_HEADERS)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.be('Not Found');
-      expect(body.message).to.be('Not Found');
+      expect(body.error).to.be('Forbidden');
+      expect(body.message).to.be('Forbidden');
     });
   });
 };
diff --git a/x-pack/test/api_integration/apis/ml/results/get_stopped_partitions.ts b/x-pack/test/api_integration/apis/ml/results/get_stopped_partitions.ts
index a46c8861258e..e1954456b46f 100644
--- a/x-pack/test/api_integration/apis/ml/results/get_stopped_partitions.ts
+++ b/x-pack/test/api_integration/apis/ml/results/get_stopped_partitions.ts
@@ -144,10 +144,10 @@ export default ({ getService }: FtrProviderContext) => {
         .auth(USER.ML_UNAUTHORIZED, ml.securityCommon.getPasswordForUser(USER.ML_UNAUTHORIZED))
         .send({ jobIds: [jobId] })
         .set(COMMON_REQUEST_HEADERS)
-        .expect(404);
+        .expect(403);
 
-      expect(body.error).to.be('Not Found');
-      expect(body.message).to.be('Not Found');
+      expect(body.error).to.be('Forbidden');
+      expect(body.message).to.be('Forbidden');
     });
 
     it('should fetch stopped partitions for multiple job ids', async () => {
diff --git a/x-pack/test/api_integration/apis/security_solution/feature_controls.ts b/x-pack/test/api_integration/apis/security_solution/feature_controls.ts
index 06d080e77822..c2dfd28d5c84 100644
--- a/x-pack/test/api_integration/apis/security_solution/feature_controls.ts
+++ b/x-pack/test/api_integration/apis/security_solution/feature_controls.ts
@@ -25,11 +25,11 @@ export default function ({ getService }: FtrProviderContext) {
   const spaces = getService('spaces');
   const clientFactory = getService('securitySolutionGraphQLClientFactory');
 
-  const expectGraphQL404 = (result: any) => {
+  const expectGraphQL403 = (result: any) => {
     expect(result.response).to.be(undefined);
     expect(result.error).not.to.be(undefined);
     expect(result.error).to.have.property('networkError');
-    expect(result.error.networkError).to.have.property('statusCode', 404);
+    expect(result.error.networkError).to.have.property('statusCode', 403);
   };
 
   const expectGraphQLResponse = (result: any) => {
@@ -101,7 +101,7 @@ export default function ({ getService }: FtrProviderContext) {
         });
 
         const graphQLResult = await executeGraphQLQuery(username, password);
-        expectGraphQL404(graphQLResult);
+        expectGraphQL403(graphQLResult);
 
         const graphQLIResult = await executeGraphIQLRequest(username, password);
         expectGraphIQL404(graphQLIResult);
@@ -170,7 +170,7 @@ export default function ({ getService }: FtrProviderContext) {
         });
 
         const graphQLResult = await executeGraphQLQuery(username, password);
-        expectGraphQL404(graphQLResult);
+        expectGraphQL403(graphQLResult);
 
         const graphQLIResult = await executeGraphIQLRequest(username, password);
         expectGraphIQL404(graphQLIResult);
@@ -243,7 +243,7 @@ export default function ({ getService }: FtrProviderContext) {
 
       it(`user_1 can't access APIs in space_2`, async () => {
         const graphQLResult = await executeGraphQLQuery(username, password, space2Id);
-        expectGraphQL404(graphQLResult);
+        expectGraphQL403(graphQLResult);
 
         const graphQLIResult = await executeGraphIQLRequest(username, password, space2Id);
         expectGraphIQL404(graphQLIResult);
diff --git a/x-pack/test/api_integration/apis/uptime/feature_controls.ts b/x-pack/test/api_integration/apis/uptime/feature_controls.ts
index 6c566ec7cb23..c4383b629130 100644
--- a/x-pack/test/api_integration/apis/uptime/feature_controls.ts
+++ b/x-pack/test/api_integration/apis/uptime/feature_controls.ts
@@ -14,10 +14,10 @@ export default function featureControlsTests({ getService }: FtrProviderContext)
   const security = getService('security');
   const spaces = getService('spaces');
 
-  const expect404 = (result: any) => {
+  const expect403 = (result: any) => {
     expect(result.error).to.be(undefined);
     expect(result.response).not.to.be(undefined);
-    expect(result.response).to.have.property('statusCode', 404);
+    expect(result.response).to.have.property('statusCode', 403);
   };
 
   const expectResponse = (result: any) => {
@@ -62,7 +62,7 @@ export default function featureControlsTests({ getService }: FtrProviderContext)
         });
 
         const pingsResult = await executePingsRequest(username, password);
-        expect404(pingsResult);
+        expect403(pingsResult);
       } finally {
         await security.role.delete(roleName);
         await security.user.delete(username);
@@ -137,7 +137,7 @@ export default function featureControlsTests({ getService }: FtrProviderContext)
         });
 
         const pingsResult = await executePingsRequest(username, password);
-        expect404(pingsResult);
+        expect403(pingsResult);
       } finally {
         await security.role.delete(roleName);
         await security.user.delete(username);
@@ -208,7 +208,7 @@ export default function featureControlsTests({ getService }: FtrProviderContext)
 
       it(`user_1 can't access APIs in space_2`, async () => {
         const pingsResult = await executePingsRequest(username, password);
-        expect404(pingsResult);
+        expect403(pingsResult);
       });
     });
   });
diff --git a/x-pack/test/apm_api_integration/basic/tests/feature_controls.ts b/x-pack/test/apm_api_integration/basic/tests/feature_controls.ts
index a2223e556028..a883b0bc116a 100644
--- a/x-pack/test/apm_api_integration/basic/tests/feature_controls.ts
+++ b/x-pack/test/apm_api_integration/basic/tests/feature_controls.ts
@@ -18,9 +18,9 @@ export default function featureControlsTests({ getService }: FtrProviderContext)
   const start = encodeURIComponent(new Date(Date.now() - 10000).toISOString());
   const end = encodeURIComponent(new Date().toISOString());
 
-  const expect404 = (result: any) => {
+  const expect403 = (result: any) => {
     expect(result.error).to.be(undefined);
-    expect(result.response.statusCode).to.be(404);
+    expect(result.response.statusCode).to.be(403);
   };
 
   const expect200 = (result: any) => {
@@ -44,93 +44,93 @@ export default function featureControlsTests({ getService }: FtrProviderContext)
       req: {
         url: `/api/apm/services/foo/errors?start=${start}&end=${end}&uiFilters=%7B%7D&_debug=true`,
       },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: { url: `/api/apm/services/foo/errors/bar?start=${start}&end=${end}&uiFilters=%7B%7D` },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: {
         url: `/api/apm/services/foo/errors/distribution?start=${start}&end=${end}&groupId=bar&uiFilters=%7B%7D`,
       },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: {
         url: `/api/apm/services/foo/errors/distribution?start=${start}&end=${end}&uiFilters=%7B%7D`,
       },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: {
         url: `/api/apm/services/foo/metrics/charts?start=${start}&end=${end}&agentName=cool-agent&uiFilters=%7B%7D`,
       },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: { url: `/api/apm/services?start=${start}&end=${end}&uiFilters=%7B%7D` },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: { url: `/api/apm/services/foo/agent_name?start=${start}&end=${end}` },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: { url: `/api/apm/services/foo/transaction_types?start=${start}&end=${end}` },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: { url: `/api/apm/traces?start=${start}&end=${end}&uiFilters=%7B%7D` },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: { url: `/api/apm/traces/foo?start=${start}&end=${end}` },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: {
         url: `/api/apm/services/foo/transaction_groups?start=${start}&end=${end}&transactionType=bar&uiFilters=%7B%7D`,
       },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: {
         url: `/api/apm/services/foo/transaction_groups/charts?start=${start}&end=${end}&transactionType=bar&uiFilters=%7B%22environment%22%3A%22testing%22%7D`,
       },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: {
         url: `/api/apm/services/foo/transaction_groups/charts?start=${start}&end=${end}&uiFilters=%7B%22environment%22%3A%22testing%22%7D`,
       },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: {
         url: `/api/apm/services/foo/transaction_groups/charts?start=${start}&end=${end}&transactionType=bar&transactionName=baz&uiFilters=%7B%22environment%22%3A%22testing%22%7D`,
       },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
       req: {
         url: `/api/apm/services/foo/transaction_groups/distribution?start=${start}&end=${end}&transactionType=bar&transactionName=baz&uiFilters=%7B%7D`,
       },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
     {
@@ -139,7 +139,7 @@ export default function featureControlsTests({ getService }: FtrProviderContext)
         url: `/api/apm/settings/agent-configuration/search`,
         body: { service: { name: 'test-service' }, etag: 'abc' },
       },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
       onExpectationFail: async () => {
         const res = await es.search({
@@ -153,7 +153,7 @@ export default function featureControlsTests({ getService }: FtrProviderContext)
       req: {
         url: `/api/apm/settings/custom_links/transaction`,
       },
-      expectForbidden: expect404,
+      expectForbidden: expect403,
       expectResponse: expect200,
     },
   ];
diff --git a/x-pack/test/apm_api_integration/basic/tests/settings/agent_configuration.ts b/x-pack/test/apm_api_integration/basic/tests/settings/agent_configuration.ts
index a327f492f45f..32a06b8fb880 100644
--- a/x-pack/test/apm_api_integration/basic/tests/settings/agent_configuration.ts
+++ b/x-pack/test/apm_api_integration/basic/tests/settings/agent_configuration.ts
@@ -186,7 +186,7 @@ export default function agentConfigurationTests({ getService }: FtrProviderConte
           // ensure that `createConfiguration` throws
           expect(true).to.be(false);
         } catch (e) {
-          expect(e.res.statusCode).to.be(404);
+          expect(e.res.statusCode).to.be(403);
         }
       });
 
@@ -201,7 +201,7 @@ export default function agentConfigurationTests({ getService }: FtrProviderConte
             // ensure that `updateConfiguration` throws
             expect(true).to.be(false);
           } catch (e) {
-            expect(e.res.statusCode).to.be(404);
+            expect(e.res.statusCode).to.be(403);
           }
         });
 
@@ -212,7 +212,7 @@ export default function agentConfigurationTests({ getService }: FtrProviderConte
             // ensure that `deleteConfiguration` throws
             expect(true).to.be(false);
           } catch (e) {
-            expect(e.res.statusCode).to.be(404);
+            expect(e.res.statusCode).to.be(403);
           }
         });
       });
diff --git a/x-pack/test/apm_api_integration/basic/tests/settings/anomaly_detection/no_access_user.ts b/x-pack/test/apm_api_integration/basic/tests/settings/anomaly_detection/no_access_user.ts
index b178c27467c7..33b7675c92d4 100644
--- a/x-pack/test/apm_api_integration/basic/tests/settings/anomaly_detection/no_access_user.ts
+++ b/x-pack/test/apm_api_integration/basic/tests/settings/anomaly_detection/no_access_user.ts
@@ -26,8 +26,8 @@ export default function apiTest({ getService }: FtrProviderContext) {
       it('returns an error because the user does not have access', async () => {
         const { body } = await getAnomalyDetectionJobs();
 
-        expect(body.statusCode).to.be(404);
-        expect(body.error).to.be('Not Found');
+        expect(body.statusCode).to.be(403);
+        expect(body.error).to.be('Forbidden');
       });
     });
 
@@ -35,8 +35,8 @@ export default function apiTest({ getService }: FtrProviderContext) {
       it('returns an error because the user does not have access', async () => {
         const { body } = await createAnomalyDetectionJobs(['production', 'staging']);
 
-        expect(body.statusCode).to.be(404);
-        expect(body.error).to.be('Not Found');
+        expect(body.statusCode).to.be(403);
+        expect(body.error).to.be('Forbidden');
       });
     });
   });
diff --git a/x-pack/test/apm_api_integration/basic/tests/settings/anomaly_detection/read_user.ts b/x-pack/test/apm_api_integration/basic/tests/settings/anomaly_detection/read_user.ts
index 60d9fcf7f09c..2c8f13ce79f7 100644
--- a/x-pack/test/apm_api_integration/basic/tests/settings/anomaly_detection/read_user.ts
+++ b/x-pack/test/apm_api_integration/basic/tests/settings/anomaly_detection/read_user.ts
@@ -39,8 +39,8 @@ export default function apiTest({ getService }: FtrProviderContext) {
     describe('when calling create endpoint', () => {
       it('returns an error because the user does not have access', async () => {
         const { body } = await createAnomalyDetectionJobs(['production', 'staging']);
-        expect(body.statusCode).to.be(404);
-        expect(body.error).to.be('Not Found');
+        expect(body.statusCode).to.be(403);
+        expect(body.error).to.be('Forbidden');
       });
     });
   });
diff --git a/x-pack/test/apm_api_integration/trial/tests/settings/anomaly_detection/no_access_user.ts b/x-pack/test/apm_api_integration/trial/tests/settings/anomaly_detection/no_access_user.ts
index 8c3ed246adba..b8f93fd35043 100644
--- a/x-pack/test/apm_api_integration/trial/tests/settings/anomaly_detection/no_access_user.ts
+++ b/x-pack/test/apm_api_integration/trial/tests/settings/anomaly_detection/no_access_user.ts
@@ -25,16 +25,16 @@ export default function apiTest({ getService }: FtrProviderContext) {
     describe('when calling the endpoint for listing jobs', () => {
       it('returns an error because the user does not have access', async () => {
         const { body } = await getJobs();
-        expect(body.statusCode).to.be(404);
-        expect(body.error).to.be('Not Found');
+        expect(body.statusCode).to.be(403);
+        expect(body.error).to.be('Forbidden');
       });
     });
 
     describe('when calling create endpoint', () => {
       it('returns an error because the user does not have access', async () => {
         const { body } = await createJobs(['production', 'staging']);
-        expect(body.statusCode).to.be(404);
-        expect(body.error).to.be('Not Found');
+        expect(body.statusCode).to.be(403);
+        expect(body.error).to.be('Forbidden');
       });
     });
   });
diff --git a/x-pack/test/apm_api_integration/trial/tests/settings/anomaly_detection/read_user.ts b/x-pack/test/apm_api_integration/trial/tests/settings/anomaly_detection/read_user.ts
index d158ed847fbb..edb649f501d3 100644
--- a/x-pack/test/apm_api_integration/trial/tests/settings/anomaly_detection/read_user.ts
+++ b/x-pack/test/apm_api_integration/trial/tests/settings/anomaly_detection/read_user.ts
@@ -35,8 +35,8 @@ export default function apiTest({ getService }: FtrProviderContext) {
       it('returns an error because the user does not have access', async () => {
         const { body } = await createJobs(['production', 'staging']);
 
-        expect(body.statusCode).to.be(404);
-        expect(body.error).to.be('Not Found');
+        expect(body.statusCode).to.be(403);
+        expect(body.error).to.be('Forbidden');
       });
     });
   });
diff --git a/x-pack/test/encrypted_saved_objects_api_integration/tests/encrypted_saved_objects_api.ts b/x-pack/test/encrypted_saved_objects_api_integration/tests/encrypted_saved_objects_api.ts
index 637bb7c20224..695b00332cce 100644
--- a/x-pack/test/encrypted_saved_objects_api_integration/tests/encrypted_saved_objects_api.ts
+++ b/x-pack/test/encrypted_saved_objects_api_integration/tests/encrypted_saved_objects_api.ts
@@ -627,7 +627,7 @@ export default function ({ getService }: FtrProviderContext) {
           .set('kbn-xsrf', 'xxx')
           .auth(KIBANA_ADMIN_USERNAME, KIBANA_ADMIN_PASSWORD)
           .send()
-          .expect(404);
+          .expect(403);
       });
 
       // Since this test re-encrypts objects it should always go last in this suite.
diff --git a/x-pack/test/functional/apps/apm/feature_controls/apm_security.ts b/x-pack/test/functional/apps/apm/feature_controls/apm_security.ts
index 3099057f65b8..169188609961 100644
--- a/x-pack/test/functional/apps/apm/feature_controls/apm_security.ts
+++ b/x-pack/test/functional/apps/apm/feature_controls/apm_security.ts
@@ -170,12 +170,12 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
         expect(navLinks).not.to.contain('APM');
       });
 
-      it(`renders not found page`, async () => {
+      it(`renders no permission page`, async () => {
         await PageObjects.common.navigateToUrl('apm', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
     });
   });
diff --git a/x-pack/test/functional/apps/canvas/feature_controls/canvas_security.ts b/x-pack/test/functional/apps/canvas/feature_controls/canvas_security.ts
index e9dffcd6abf6..8cbb4b13dee5 100644
--- a/x-pack/test/functional/apps/canvas/feature_controls/canvas_security.ts
+++ b/x-pack/test/functional/apps/canvas/feature_controls/canvas_security.ts
@@ -9,7 +9,7 @@ import { FtrProviderContext } from '../../../ftr_provider_context';
 export default function ({ getPageObjects, getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const security = getService('security');
-  const PageObjects = getPageObjects(['common', 'canvas', 'security', 'spaceSelector']);
+  const PageObjects = getPageObjects(['common', 'canvas', 'error', 'security', 'spaceSelector']);
   const appsMenu = getService('appsMenu');
   const globalNav = getService('globalNav');
 
@@ -217,34 +217,20 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
         await security.user.delete('no_canvas_privileges_user');
       });
 
-      it(`returns a 404`, async () => {
+      it(`returns a 403`, async () => {
         await PageObjects.common.navigateToActualUrl('canvas', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
-        const messageText = await PageObjects.common.getBodyText();
-        expect(messageText).to.eql(
-          JSON.stringify({
-            statusCode: 404,
-            error: 'Not Found',
-            message: 'Not Found',
-          })
-        );
+        PageObjects.error.expectForbidden();
       });
 
-      it(`create new workpad returns a 404`, async () => {
+      it(`create new workpad returns a 403`, async () => {
         await PageObjects.common.navigateToActualUrl('canvas', 'workpad/create', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
-        const messageText = await PageObjects.common.getBodyText();
-        expect(messageText).to.eql(
-          JSON.stringify({
-            statusCode: 404,
-            error: 'Not Found',
-            message: 'Not Found',
-          })
-        );
+        PageObjects.error.expectForbidden();
       });
     });
   });
diff --git a/x-pack/test/functional/apps/canvas/feature_controls/canvas_spaces.ts b/x-pack/test/functional/apps/canvas/feature_controls/canvas_spaces.ts
index 983418b5a97d..53802107cedc 100644
--- a/x-pack/test/functional/apps/canvas/feature_controls/canvas_spaces.ts
+++ b/x-pack/test/functional/apps/canvas/feature_controls/canvas_spaces.ts
@@ -107,7 +107,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
           shouldLoginIfPrompted: false,
         });
 
-        const messageText = await PageObjects.common.getBodyText();
+        const messageText = await PageObjects.common.getJsonBodyText();
         expect(messageText).to.eql(
           JSON.stringify({
             statusCode: 404,
@@ -127,7 +127,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
             shouldLoginIfPrompted: false,
           }
         );
-        const messageText = await PageObjects.common.getBodyText();
+        const messageText = await PageObjects.common.getJsonBodyText();
         expect(messageText).to.eql(
           JSON.stringify({
             statusCode: 404,
diff --git a/x-pack/test/functional/apps/dashboard/feature_controls/dashboard_security.ts b/x-pack/test/functional/apps/dashboard/feature_controls/dashboard_security.ts
index 45b7003d18b0..112a855c6120 100644
--- a/x-pack/test/functional/apps/dashboard/feature_controls/dashboard_security.ts
+++ b/x-pack/test/functional/apps/dashboard/feature_controls/dashboard_security.ts
@@ -532,7 +532,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
         expect(navLinks.map((navLink: any) => navLink.text)).to.not.contain(['Dashboard']);
       });
 
-      it(`landing page shows 404`, async () => {
+      it(`landing page shows 403`, async () => {
         await PageObjects.common.navigateToActualUrl(
           'dashboard',
           DashboardConstants.LANDING_PAGE_PATH,
@@ -541,10 +541,10 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
             shouldLoginIfPrompted: false,
           }
         );
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
 
-      it(`create new dashboard shows 404`, async () => {
+      it(`create new dashboard shows 403`, async () => {
         await PageObjects.common.navigateToActualUrl(
           'dashboard',
           DashboardConstants.CREATE_NEW_DASHBOARD_URL,
@@ -553,10 +553,10 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
             shouldLoginIfPrompted: false,
           }
         );
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
 
-      it(`edit dashboard for object which doesn't exist shows 404`, async () => {
+      it(`edit dashboard for object which doesn't exist shows 403`, async () => {
         await PageObjects.common.navigateToActualUrl(
           'dashboard',
           createDashboardEditUrl('i-dont-exist'),
@@ -565,10 +565,10 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
             shouldLoginIfPrompted: false,
           }
         );
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
 
-      it(`edit dashboard for object which exists shows 404`, async () => {
+      it(`edit dashboard for object which exists shows 403`, async () => {
         await PageObjects.common.navigateToActualUrl(
           'dashboard',
           createDashboardEditUrl('i-exist'),
@@ -577,7 +577,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
             shouldLoginIfPrompted: false,
           }
         );
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
     });
   });
diff --git a/x-pack/test/functional/apps/dev_tools/feature_controls/dev_tools_security.ts b/x-pack/test/functional/apps/dev_tools/feature_controls/dev_tools_security.ts
index 807ba6ded88a..c0c327920fc6 100644
--- a/x-pack/test/functional/apps/dev_tools/feature_controls/dev_tools_security.ts
+++ b/x-pack/test/functional/apps/dev_tools/feature_controls/dev_tools_security.ts
@@ -228,31 +228,31 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
         expect(navLinks.map((navLink: any) => navLink.text)).to.not.contain(['Dev Tools']);
       });
 
-      it(`navigating to console shows 404`, async () => {
+      it(`navigating to console shows 403`, async () => {
         await PageObjects.common.navigateToUrl('console', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
           useActualUrl: true,
         });
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
 
-      it(`navigating to search profiler shows 404`, async () => {
+      it(`navigating to search profiler shows 403`, async () => {
         await PageObjects.common.navigateToUrl('searchProfiler', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
           useActualUrl: true,
         });
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
 
-      it(`navigating to grok debugger shows 404`, async () => {
+      it(`navigating to grok debugger shows 403`, async () => {
         await PageObjects.common.navigateToUrl('grokDebugger', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
           useActualUrl: true,
         });
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
     });
   });
diff --git a/x-pack/test/functional/apps/discover/feature_controls/discover_security.ts b/x-pack/test/functional/apps/discover/feature_controls/discover_security.ts
index 93d57068f300..ac98a49fc076 100644
--- a/x-pack/test/functional/apps/discover/feature_controls/discover_security.ts
+++ b/x-pack/test/functional/apps/discover/feature_controls/discover_security.ts
@@ -412,12 +412,12 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
         await security.user.delete('no_discover_privileges_user');
       });
 
-      it(`shows 404`, async () => {
+      it(`shows 403`, async () => {
         await PageObjects.common.navigateToUrl('discover', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
     });
   });
diff --git a/x-pack/test/functional/apps/graph/feature_controls/graph_security.ts b/x-pack/test/functional/apps/graph/feature_controls/graph_security.ts
index ab398f6ed108..5ffeab2a4f15 100644
--- a/x-pack/test/functional/apps/graph/feature_controls/graph_security.ts
+++ b/x-pack/test/functional/apps/graph/feature_controls/graph_security.ts
@@ -182,13 +182,13 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
         expect(navLinks).not.to.contain('Graph');
       });
 
-      it(`navigating to app displays a 404`, async () => {
+      it(`navigating to app displays a 403`, async () => {
         await PageObjects.common.navigateToUrl('graph', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
 
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
     });
   });
diff --git a/x-pack/test/functional/apps/infra/feature_controls/infrastructure_security.ts b/x-pack/test/functional/apps/infra/feature_controls/infrastructure_security.ts
index 3c471516e9c6..4cafe049fcbc 100644
--- a/x-pack/test/functional/apps/infra/feature_controls/infrastructure_security.ts
+++ b/x-pack/test/functional/apps/infra/feature_controls/infrastructure_security.ts
@@ -11,7 +11,7 @@ const DATE_WITH_DATA = DATES.metricsAndLogs.hosts.withData;
 export default function ({ getPageObjects, getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const security = getService('security');
-  const PageObjects = getPageObjects(['common', 'infraHome', 'security']);
+  const PageObjects = getPageObjects(['common', 'error', 'infraHome', 'security']);
   const testSubjects = getService('testSubjects');
   const appsMenu = getService('appsMenu');
   const globalNav = getService('globalNav');
@@ -423,19 +423,12 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
         expect(navLinks).to.not.contain(['Metrics']);
       });
 
-      it(`metrics app is inaccessible and returns a 404`, async () => {
+      it(`metrics app is inaccessible and returns a 403`, async () => {
         await PageObjects.common.navigateToActualUrl('infraOps', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
-        const messageText = await PageObjects.common.getBodyText();
-        expect(messageText).to.eql(
-          JSON.stringify({
-            statusCode: 404,
-            error: 'Not Found',
-            message: 'Not Found',
-          })
-        );
+        PageObjects.error.expectForbidden();
       });
     });
   });
diff --git a/x-pack/test/functional/apps/infra/feature_controls/infrastructure_spaces.ts b/x-pack/test/functional/apps/infra/feature_controls/infrastructure_spaces.ts
index 1bf8ded69016..f52f60a19968 100644
--- a/x-pack/test/functional/apps/infra/feature_controls/infrastructure_spaces.ts
+++ b/x-pack/test/functional/apps/infra/feature_controls/infrastructure_spaces.ts
@@ -84,7 +84,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
           shouldLoginIfPrompted: false,
           basePath: '/s/custom_space',
         });
-        const messageText = await PageObjects.common.getBodyText();
+        const messageText = await PageObjects.common.getJsonBodyText();
         expect(messageText).to.eql(
           JSON.stringify({
             statusCode: 404,
diff --git a/x-pack/test/functional/apps/infra/feature_controls/logs_security.ts b/x-pack/test/functional/apps/infra/feature_controls/logs_security.ts
index 552e948f56a9..de6353d6b045 100644
--- a/x-pack/test/functional/apps/infra/feature_controls/logs_security.ts
+++ b/x-pack/test/functional/apps/infra/feature_controls/logs_security.ts
@@ -10,7 +10,7 @@ import { FtrProviderContext } from '../../../ftr_provider_context';
 export default function ({ getPageObjects, getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const security = getService('security');
-  const PageObjects = getPageObjects(['common', 'infraHome', 'security']);
+  const PageObjects = getPageObjects(['common', 'error', 'infraHome', 'security']);
   const testSubjects = getService('testSubjects');
   const appsMenu = getService('appsMenu');
   const globalNav = getService('globalNav');
@@ -187,19 +187,12 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
         expect(navLinks).to.not.contain('Logs');
       });
 
-      it(`logs app is inaccessible and returns a 404`, async () => {
+      it(`logs app is inaccessible and returns a 403`, async () => {
         await PageObjects.common.navigateToActualUrl('infraLogs', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
-        const messageText = await PageObjects.common.getBodyText();
-        expect(messageText).to.eql(
-          JSON.stringify({
-            statusCode: 404,
-            error: 'Not Found',
-            message: 'Not Found',
-          })
-        );
+        PageObjects.error.expectForbidden();
       });
     });
   });
diff --git a/x-pack/test/functional/apps/infra/feature_controls/logs_spaces.ts b/x-pack/test/functional/apps/infra/feature_controls/logs_spaces.ts
index ea08307ccedd..fdcbd8f8bf64 100644
--- a/x-pack/test/functional/apps/infra/feature_controls/logs_spaces.ts
+++ b/x-pack/test/functional/apps/infra/feature_controls/logs_spaces.ts
@@ -85,7 +85,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
           shouldLoginIfPrompted: false,
           basePath: '/s/custom_space',
         });
-        const messageText = await PageObjects.common.getBodyText();
+        const messageText = await PageObjects.common.getJsonBodyText();
         expect(messageText).to.eql(
           JSON.stringify({
             statusCode: 404,
diff --git a/x-pack/test/functional/apps/maps/feature_controls/maps_security.ts b/x-pack/test/functional/apps/maps/feature_controls/maps_security.ts
index 6c1015a03d07..b6b38b840677 100644
--- a/x-pack/test/functional/apps/maps/feature_controls/maps_security.ts
+++ b/x-pack/test/functional/apps/maps/feature_controls/maps_security.ts
@@ -9,7 +9,7 @@ import { FtrProviderContext } from '../../../ftr_provider_context';
 export default function ({ getPageObjects, getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const security = getService('security');
-  const PageObjects = getPageObjects(['common', 'settings', 'security', 'maps']);
+  const PageObjects = getPageObjects(['common', 'error', 'maps', 'settings', 'security']);
   const appsMenu = getService('appsMenu');
   const testSubjects = getService('testSubjects');
   const globalNav = getService('globalNav');
@@ -266,19 +266,12 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
         expect(navLinks).to.not.contain('Maps');
       });
 
-      it(`returns a 404`, async () => {
+      it(`returns a 403`, async () => {
         await PageObjects.common.navigateToActualUrl('maps', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
-        const messageText = await PageObjects.common.getBodyText();
-        expect(messageText).to.eql(
-          JSON.stringify({
-            statusCode: 404,
-            error: 'Not Found',
-            message: 'Not Found',
-          })
-        );
+        PageObjects.error.expectForbidden();
       });
     });
   });
diff --git a/x-pack/test/functional/apps/maps/feature_controls/maps_spaces.ts b/x-pack/test/functional/apps/maps/feature_controls/maps_spaces.ts
index 1164e1238df7..11b87469e499 100644
--- a/x-pack/test/functional/apps/maps/feature_controls/maps_spaces.ts
+++ b/x-pack/test/functional/apps/maps/feature_controls/maps_spaces.ts
@@ -84,7 +84,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
-        const messageText = await PageObjects.common.getBodyText();
+        const messageText = await PageObjects.common.getJsonBodyText();
         expect(messageText).to.eql(
           JSON.stringify({
             statusCode: 404,
diff --git a/x-pack/test/functional/apps/ml/permissions/no_ml_access.ts b/x-pack/test/functional/apps/ml/permissions/no_ml_access.ts
index ab67e567e67a..42b993c51b06 100644
--- a/x-pack/test/functional/apps/ml/permissions/no_ml_access.ts
+++ b/x-pack/test/functional/apps/ml/permissions/no_ml_access.ts
@@ -34,7 +34,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
             ensureCurrentUrl: false,
           });
 
-          await PageObjects.error.expectNotFound();
+          await PageObjects.error.expectForbidden();
         });
 
         it('should not display the ML file data vis link on the Kibana home page', async () => {
diff --git a/x-pack/test/functional/apps/timelion/feature_controls/timelion_security.ts b/x-pack/test/functional/apps/timelion/feature_controls/timelion_security.ts
index e0fc01950ebe..1f71cbf52cf9 100644
--- a/x-pack/test/functional/apps/timelion/feature_controls/timelion_security.ts
+++ b/x-pack/test/functional/apps/timelion/feature_controls/timelion_security.ts
@@ -9,7 +9,14 @@ import { FtrProviderContext } from '../../../ftr_provider_context';
 export default function ({ getPageObjects, getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const security = getService('security');
-  const PageObjects = getPageObjects(['common', 'timelion', 'header', 'security', 'spaceSelector']);
+  const PageObjects = getPageObjects([
+    'common',
+    'error',
+    'header',
+    'security',
+    'spaceSelector',
+    'timelion',
+  ]);
   const appsMenu = getService('appsMenu');
   const globalNav = getService('globalNav');
 
@@ -164,19 +171,12 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
         await security.user.delete('no_timelion_privileges_user');
       });
 
-      it(`returns a 404`, async () => {
+      it(`returns a 403`, async () => {
         await PageObjects.common.navigateToActualUrl('timelion', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
-        const messageText = await PageObjects.common.getBodyText();
-        expect(messageText).to.eql(
-          JSON.stringify({
-            statusCode: 404,
-            error: 'Not Found',
-            message: 'Not Found',
-          })
-        );
+        PageObjects.error.expectForbidden();
       });
     });
   });
diff --git a/x-pack/test/functional/apps/timelion/feature_controls/timelion_spaces.ts b/x-pack/test/functional/apps/timelion/feature_controls/timelion_spaces.ts
index 3ad666227950..bf6a4f1b9800 100644
--- a/x-pack/test/functional/apps/timelion/feature_controls/timelion_spaces.ts
+++ b/x-pack/test/functional/apps/timelion/feature_controls/timelion_spaces.ts
@@ -80,7 +80,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
           shouldLoginIfPrompted: false,
         });
 
-        const messageText = await PageObjects.common.getBodyText();
+        const messageText = await PageObjects.common.getJsonBodyText();
         expect(messageText).to.eql(
           JSON.stringify({
             statusCode: 404,
@@ -97,7 +97,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
           shouldLoginIfPrompted: false,
         });
 
-        const messageText = await PageObjects.common.getBodyText();
+        const messageText = await PageObjects.common.getJsonBodyText();
         expect(messageText).to.eql(
           JSON.stringify({
             statusCode: 404,
@@ -114,7 +114,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
           shouldLoginIfPrompted: false,
         });
 
-        const messageText = await PageObjects.common.getBodyText();
+        const messageText = await PageObjects.common.getJsonBodyText();
         expect(messageText).to.eql(
           JSON.stringify({
             statusCode: 404,
diff --git a/x-pack/test/functional/apps/uptime/feature_controls/uptime_security.ts b/x-pack/test/functional/apps/uptime/feature_controls/uptime_security.ts
index 6c090cf1bff1..238b08c356db 100644
--- a/x-pack/test/functional/apps/uptime/feature_controls/uptime_security.ts
+++ b/x-pack/test/functional/apps/uptime/feature_controls/uptime_security.ts
@@ -173,12 +173,12 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
         expect(navLinks).not.to.contain('Uptime');
       });
 
-      it(`renders not found page`, async () => {
+      it(`renders no permission page`, async () => {
         await PageObjects.common.navigateToUrl('uptime', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
     });
   });
diff --git a/x-pack/test/functional/apps/visualize/feature_controls/visualize_security.ts b/x-pack/test/functional/apps/visualize/feature_controls/visualize_security.ts
index 1bb4ba3bfeb6..aabcc7c12d57 100644
--- a/x-pack/test/functional/apps/visualize/feature_controls/visualize_security.ts
+++ b/x-pack/test/functional/apps/visualize/feature_controls/visualize_security.ts
@@ -428,20 +428,20 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
         await security.user.delete('no_visualize_privileges_user');
       });
 
-      it(`landing page shows 404`, async () => {
+      it(`landing page shows 403`, async () => {
         await PageObjects.common.navigateToActualUrl('visualize', '', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
 
-      it(`edit page shows 404`, async () => {
+      it(`edit page shows 403`, async () => {
         await PageObjects.common.navigateToActualUrl('visualize', '/edit/i-exist', {
           ensureCurrentUrl: false,
           shouldLoginIfPrompted: false,
         });
-        await PageObjects.error.expectNotFound();
+        await PageObjects.error.expectForbidden();
       });
     });
   });
diff --git a/x-pack/test/functional/page_objects/security_page.ts b/x-pack/test/functional/page_objects/security_page.ts
index 77457ad94cf8..2d9ee00234bb 100644
--- a/x-pack/test/functional/page_objects/security_page.ts
+++ b/x-pack/test/functional/page_objects/security_page.ts
@@ -88,10 +88,10 @@ export function SecurityPageProvider({ getService, getPageObjects }: FtrProvider
         if (await find.existsByCssSelector(rawDataTabLocator)) {
           await find.clickByCssSelector(rawDataTabLocator);
         }
-        await PageObjects.error.expectForbidden();
+        await testSubjects.existOrFail('ResetSessionButton');
       });
       log.debug(
-        `Finished login process, found forbidden message. currentUrl = ${await browser.getCurrentUrl()}`
+        `Finished login process, found reset session button message. currentUrl = ${await browser.getCurrentUrl()}`
       );
       return;
     }
diff --git a/x-pack/test/ingest_manager_api_integration/apis/fleet/agents/delete.ts b/x-pack/test/ingest_manager_api_integration/apis/fleet/agents/delete.ts
index 908112643fee..c3b0a3086e35 100644
--- a/x-pack/test/ingest_manager_api_integration/apis/fleet/agents/delete.ts
+++ b/x-pack/test/ingest_manager_api_integration/apis/fleet/agents/delete.ts
@@ -60,12 +60,12 @@ export default function ({ getService }: FtrProviderContext) {
       await esArchiver.unload('fleet/agents');
     });
 
-    it('should return a 404 if user lacks fleet-write permissions', async () => {
+    it('should return a 403 if user lacks fleet-write permissions', async () => {
       const { body: apiResponse } = await supertest
         .delete(`/api/fleet/agents/agent1`)
         .auth(users.fleet_user.username, users.fleet_user.password)
         .set('kbn-xsrf', 'xx')
-        .expect(404);
+        .expect(403);
 
       expect(apiResponse).not.to.eql({
         action: 'deleted',
diff --git a/x-pack/test/ingest_manager_api_integration/apis/fleet/agents/list.ts b/x-pack/test/ingest_manager_api_integration/apis/fleet/agents/list.ts
index e55c570b3293..e4e7b4b6be54 100644
--- a/x-pack/test/ingest_manager_api_integration/apis/fleet/agents/list.ts
+++ b/x-pack/test/ingest_manager_api_integration/apis/fleet/agents/list.ts
@@ -93,7 +93,7 @@ export default function ({ getService }: FtrProviderContext) {
       await supertest
         .get(`/api/fleet/agents`)
         .auth(users.kibana_basic_user.username, users.kibana_basic_user.password)
-        .expect(404);
+        .expect(403);
     });
     it('should return a 400 when given an invalid "kuery" value', async () => {
       await supertest
diff --git a/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts b/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
index e10c1905d854..23e717e5c044 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/bulk_create.ts
@@ -69,7 +69,7 @@ const createRequest = ({ type, id, initialNamespaces }: BulkCreateTestCase) => (
 });
 
 export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
-  const expectForbidden = expectResponses.forbiddenTypes('bulk_create');
+  const expectSavedObjectForbidden = expectResponses.forbiddenTypes('bulk_create');
   const expectResponseBody = (
     testCases: BulkCreateTestCase | BulkCreateTestCase[],
     statusCode: 200 | 403,
@@ -78,7 +78,7 @@ export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest:
     const testCaseArray = Array.isArray(testCases) ? testCases : [testCases];
     if (statusCode === 403) {
       const types = testCaseArray.map((x) => x.type);
-      await expectForbidden(types)(response);
+      await expectSavedObjectForbidden(types)(response);
     } else {
       // permitted
       const savedObjects = response.body.saved_objects;
@@ -177,6 +177,6 @@ export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest:
   return {
     addTests,
     createTestDefinitions,
-    expectForbidden,
+    expectSavedObjectForbidden,
   };
 }
diff --git a/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts b/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
index 71ece1265347..b85463cbf9c4 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/bulk_get.ts
@@ -31,7 +31,7 @@ export const TEST_CASES: Record<string, BulkGetTestCase> = Object.freeze({
 });
 
 export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const expectForbidden = expectResponses.forbiddenTypes('bulk_get');
+  const expectSavedObjectForbidden = expectResponses.forbiddenTypes('bulk_get');
   const expectResponseBody = (
     testCases: BulkGetTestCase | BulkGetTestCase[],
     statusCode: 200 | 403
@@ -39,7 +39,7 @@ export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<an
     const testCaseArray = Array.isArray(testCases) ? testCases : [testCases];
     if (statusCode === 403) {
       const types = testCaseArray.map((x) => x.type);
-      await expectForbidden(types)(response);
+      await expectSavedObjectForbidden(types)(response);
     } else {
       // permitted
       const savedObjects = response.body.saved_objects;
@@ -113,6 +113,6 @@ export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<an
   return {
     addTests,
     createTestDefinitions,
-    expectForbidden,
+    expectSavedObjectForbidden,
   };
 }
diff --git a/x-pack/test/saved_object_api_integration/common/suites/bulk_update.ts b/x-pack/test/saved_object_api_integration/common/suites/bulk_update.ts
index c3020b2da321..befd93abd8eb 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/bulk_update.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/bulk_update.ts
@@ -36,7 +36,7 @@ const createRequest = ({ type, id, namespace }: BulkUpdateTestCase) => ({
 });
 
 export function bulkUpdateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const expectForbidden = expectResponses.forbiddenTypes('bulk_update');
+  const expectSavedObjectForbidden = expectResponses.forbiddenTypes('bulk_update');
   const expectResponseBody = (
     testCases: BulkUpdateTestCase | BulkUpdateTestCase[],
     statusCode: 200 | 403
@@ -44,7 +44,7 @@ export function bulkUpdateTestSuiteFactory(esArchiver: any, supertest: SuperTest
     const testCaseArray = Array.isArray(testCases) ? testCases : [testCases];
     if (statusCode === 403) {
       const types = testCaseArray.map((x) => x.type);
-      await expectForbidden(types)(response);
+      await expectSavedObjectForbidden(types)(response);
     } else {
       // permitted
       const savedObjects = response.body.saved_objects;
@@ -124,6 +124,6 @@ export function bulkUpdateTestSuiteFactory(esArchiver: any, supertest: SuperTest
   return {
     addTests,
     createTestDefinitions,
-    expectForbidden,
+    expectSavedObjectForbidden,
   };
 }
diff --git a/x-pack/test/saved_object_api_integration/common/suites/create.ts b/x-pack/test/saved_object_api_integration/common/suites/create.ts
index 1b3902be37d7..351b0a37a1e5 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/create.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/create.ts
@@ -69,13 +69,13 @@ const createRequest = ({ type, id, initialNamespaces }: CreateTestCase) => ({
 });
 
 export function createTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
-  const expectForbidden = expectResponses.forbiddenTypes('create');
+  const expectSavedObjectForbidden = expectResponses.forbiddenTypes('create');
   const expectResponseBody = (
     testCase: CreateTestCase,
     user?: TestUser
   ): ExpectResponseBody => async (response: Record<string, any>) => {
     if (testCase.failure === 403) {
-      await expectForbidden(testCase.type)(response);
+      await expectSavedObjectForbidden(testCase.type)(response);
     } else {
       // permitted
       const object = response.body;
diff --git a/x-pack/test/saved_object_api_integration/common/suites/delete.ts b/x-pack/test/saved_object_api_integration/common/suites/delete.ts
index 859bb2b7e8fe..ea2d6c7aaa7e 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/delete.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/delete.ts
@@ -32,12 +32,12 @@ export const TEST_CASES: Record<string, DeleteTestCase> = Object.freeze({
 const createRequest = ({ type, id, force }: DeleteTestCase) => ({ type, id, force });
 
 export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const expectForbidden = expectResponses.forbiddenTypes('delete');
+  const expectSavedObjectForbidden = expectResponses.forbiddenTypes('delete');
   const expectResponseBody = (testCase: DeleteTestCase): ExpectResponseBody => async (
     response: Record<string, any>
   ) => {
     if (testCase.failure === 403) {
-      await expectForbidden(testCase.type)(response);
+      await expectSavedObjectForbidden(testCase.type)(response);
     } else {
       // permitted
       const object = response.body;
diff --git a/x-pack/test/saved_object_api_integration/common/suites/export.ts b/x-pack/test/saved_object_api_integration/common/suites/export.ts
index a1addda1cdd1..4851a3759072 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/export.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/export.ts
@@ -115,7 +115,7 @@ const getTestTitle = ({ failure, title }: ExportTestCase) =>
 const EMPTY_RESULT = { exportedCount: 0, missingRefCount: 0, missingReferences: [] };
 
 export function exportTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const expectForbiddenBulkGet = expectResponses.forbiddenTypes('bulk_get');
+  const expectSavedObjectForbiddenBulkGet = expectResponses.forbiddenTypes('bulk_get');
   const expectResponseBody = (testCase: ExportTestCase): ExpectResponseBody => async (
     response: Record<string, any>
   ) => {
@@ -124,7 +124,7 @@ export function exportTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
       // In export only, the API uses "bulkGet" or "find" depending on the parameters it receives.
       if (failure.statusCode === 403) {
         // "bulkGet" was unauthorized, which returns a forbidden error
-        await expectForbiddenBulkGet(type)(response);
+        await expectSavedObjectForbiddenBulkGet(type)(response);
       } else if (failure.statusCode === 200) {
         // "find" was unauthorized, which returns an empty result
         expect(response.body).not.to.have.property('error');
diff --git a/x-pack/test/saved_object_api_integration/common/suites/get.ts b/x-pack/test/saved_object_api_integration/common/suites/get.ts
index 8d8938b5ee79..dbd750d4a825 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/get.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/get.ts
@@ -24,12 +24,12 @@ const DOES_NOT_EXIST = Object.freeze({ type: 'dashboard', id: 'does-not-exist' }
 export const TEST_CASES: Record<string, GetTestCase> = Object.freeze({ ...CASES, DOES_NOT_EXIST });
 
 export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const expectForbidden = expectResponses.forbiddenTypes('get');
+  const expectSavedObjectForbidden = expectResponses.forbiddenTypes('get');
   const expectResponseBody = (testCase: GetTestCase): ExpectResponseBody => async (
     response: Record<string, any>
   ) => {
     if (testCase.failure === 403) {
-      await expectForbidden(testCase.type)(response);
+      await expectSavedObjectForbidden(testCase.type)(response);
     } else {
       // permitted
       const object = response.body;
diff --git a/x-pack/test/saved_object_api_integration/common/suites/import.ts b/x-pack/test/saved_object_api_integration/common/suites/import.ts
index b0d0b4f8a815..f3de6f75b981 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/import.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/import.ts
@@ -71,7 +71,7 @@ const getConflictDest = (id: string) => ({
 });
 
 export function importTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
-  const expectForbidden = expectResponses.forbiddenTypes('bulk_create');
+  const expectSavedObjectForbidden = expectResponses.forbiddenTypes('bulk_create');
   const expectResponseBody = (
     testCases: ImportTestCase | ImportTestCase[],
     statusCode: 200 | 403,
@@ -83,7 +83,7 @@ export function importTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
     const testCaseArray = Array.isArray(testCases) ? testCases : [testCases];
     if (statusCode === 403) {
       const types = testCaseArray.map((x) => x.type);
-      await expectForbidden(types)(response);
+      await expectSavedObjectForbidden(types)(response);
     } else {
       // permitted
       const { success, successCount, successResults, errors } = response.body;
@@ -264,6 +264,6 @@ export function importTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
   return {
     addTests,
     createTestDefinitions,
-    expectForbidden,
+    expectSavedObjectForbidden,
   };
 }
diff --git a/x-pack/test/saved_object_api_integration/common/suites/resolve_import_errors.ts b/x-pack/test/saved_object_api_integration/common/suites/resolve_import_errors.ts
index 02fa614ac2b5..1d616cb7e583 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/resolve_import_errors.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/resolve_import_errors.ts
@@ -94,7 +94,7 @@ export function resolveImportErrorsTestSuiteFactory(
   esArchiver: any,
   supertest: SuperTest<any>
 ) {
-  const expectForbidden = expectResponses.forbiddenTypes('bulk_create');
+  const expectSavedObjectForbidden = expectResponses.forbiddenTypes('bulk_create');
   const expectResponseBody = (
     testCases: ResolveImportErrorsTestCase | ResolveImportErrorsTestCase[],
     statusCode: 200 | 403,
@@ -106,7 +106,7 @@ export function resolveImportErrorsTestSuiteFactory(
     const testCaseArray = Array.isArray(testCases) ? testCases : [testCases];
     if (statusCode === 403) {
       const types = testCaseArray.map((x) => x.type);
-      await expectForbidden(types)(response);
+      await expectSavedObjectForbidden(types)(response);
     } else {
       // permitted
       const { success, successCount, successResults, errors } = response.body;
@@ -273,6 +273,6 @@ export function resolveImportErrorsTestSuiteFactory(
   return {
     addTests,
     createTestDefinitions,
-    expectForbidden,
+    expectSavedObjectForbidden,
   };
 }
diff --git a/x-pack/test/saved_object_api_integration/common/suites/update.ts b/x-pack/test/saved_object_api_integration/common/suites/update.ts
index 19921a82b2eb..99752d42c79d 100644
--- a/x-pack/test/saved_object_api_integration/common/suites/update.ts
+++ b/x-pack/test/saved_object_api_integration/common/suites/update.ts
@@ -34,12 +34,12 @@ export const TEST_CASES: Record<string, UpdateTestCase> = Object.freeze({
 });
 
 export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
-  const expectForbidden = expectResponses.forbiddenTypes('update');
+  const expectSavedObjectForbidden = expectResponses.forbiddenTypes('update');
   const expectResponseBody = (testCase: UpdateTestCase): ExpectResponseBody => async (
     response: Record<string, any>
   ) => {
     if (testCase.failure === 403) {
-      await expectForbidden(testCase.type)(response);
+      await expectSavedObjectForbidden(testCase.type)(response);
     } else {
       // permitted
       const object = response.body;
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
index a34bb4b3e78e..a651c946c8ba 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_create.ts
@@ -75,11 +75,11 @@ export default function ({ getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const es = getService('legacyEs');
 
-  const { addTests, createTestDefinitions, expectForbidden } = bulkCreateTestSuiteFactory(
-    es,
-    esArchiver,
-    supertest
-  );
+  const {
+    addTests,
+    createTestDefinitions,
+    expectSavedObjectForbidden,
+  } = bulkCreateTestSuiteFactory(es, esArchiver, supertest);
   const createTests = (overwrite: boolean, spaceId: string, user: TestUser) => {
     const { normalTypes, crossNamespace, hiddenType, allTypes } = createTestCases(
       overwrite,
@@ -97,7 +97,7 @@ export default function ({ getService }: FtrProviderContext) {
         spaceId,
         user,
         singleRequest: true,
-        responseBodyOverride: expectForbidden(['hiddentype']),
+        responseBodyOverride: expectSavedObjectForbidden(['hiddentype']),
       }),
     ].flat();
     return {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
index 4878d9d81dbf..e54d000e15c8 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_get.ts
@@ -47,7 +47,7 @@ export default function ({ getService }: FtrProviderContext) {
   const supertest = getService('supertestWithoutAuth');
   const esArchiver = getService('esArchiver');
 
-  const { addTests, createTestDefinitions, expectForbidden } = bulkGetTestSuiteFactory(
+  const { addTests, createTestDefinitions, expectSavedObjectForbidden } = bulkGetTestSuiteFactory(
     esArchiver,
     supertest
   );
@@ -61,7 +61,7 @@ export default function ({ getService }: FtrProviderContext) {
         createTestDefinitions(hiddenType, true),
         createTestDefinitions(allTypes, true, {
           singleRequest: true,
-          responseBodyOverride: expectForbidden(['hiddentype']),
+          responseBodyOverride: expectSavedObjectForbidden(['hiddentype']),
         }),
       ].flat(),
       superuser: createTestDefinitions(allTypes, false, { singleRequest: true }),
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_update.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_update.ts
index 3f4341de6cfc..a3d6b33e9b82 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_update.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/bulk_update.ts
@@ -59,10 +59,11 @@ export default function ({ getService }: FtrProviderContext) {
   const supertest = getService('supertestWithoutAuth');
   const esArchiver = getService('esArchiver');
 
-  const { addTests, createTestDefinitions, expectForbidden } = bulkUpdateTestSuiteFactory(
-    esArchiver,
-    supertest
-  );
+  const {
+    addTests,
+    createTestDefinitions,
+    expectSavedObjectForbidden,
+  } = bulkUpdateTestSuiteFactory(esArchiver, supertest);
   const createTests = (spaceId: string) => {
     const { normalTypes, hiddenType, allTypes, withObjectNamespaces } = createTestCases(spaceId);
     // use singleRequest to reduce execution time and/or test combined cases
@@ -71,7 +72,7 @@ export default function ({ getService }: FtrProviderContext) {
       createTestDefinitions(hiddenType, true),
       createTestDefinitions(allTypes, true, {
         singleRequest: true,
-        responseBodyOverride: expectForbidden(['hiddentype']),
+        responseBodyOverride: expectSavedObjectForbidden(['hiddentype']),
       }),
     ].flat();
     return {
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/import.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/import.ts
index a319a73c6a98..e7a6e7cfc37d 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/import.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/import.ts
@@ -100,7 +100,7 @@ export default function ({ getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const es = getService('legacyEs');
 
-  const { addTests, createTestDefinitions, expectForbidden } = importTestSuiteFactory(
+  const { addTests, createTestDefinitions, expectSavedObjectForbidden } = importTestSuiteFactory(
     es,
     esArchiver,
     supertest
@@ -118,7 +118,7 @@ export default function ({ getService }: FtrProviderContext) {
             createNewCopies,
             spaceId,
             singleRequest,
-            responseBodyOverride: expectForbidden([
+            responseBodyOverride: expectSavedObjectForbidden([
               'dashboard',
               'globaltype',
               'isolatedtype',
@@ -146,7 +146,11 @@ export default function ({ getService }: FtrProviderContext) {
           overwrite,
           spaceId,
           singleRequest,
-          responseBodyOverride: expectForbidden(['dashboard', 'globaltype', 'isolatedtype']),
+          responseBodyOverride: expectSavedObjectForbidden([
+            'dashboard',
+            'globaltype',
+            'isolatedtype',
+          ]),
         }),
         createTestDefinitions(group2, true, { overwrite, spaceId, singleRequest }),
         createTestDefinitions(group3, true, { overwrite, spaceId, singleRequest }),
diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/resolve_import_errors.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/resolve_import_errors.ts
index b0f4f13f268c..e66cd2f5dbc9 100644
--- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/resolve_import_errors.ts
+++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/resolve_import_errors.ts
@@ -88,11 +88,11 @@ export default function ({ getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const es = getService('legacyEs');
 
-  const { addTests, createTestDefinitions, expectForbidden } = resolveImportErrorsTestSuiteFactory(
-    es,
-    esArchiver,
-    supertest
-  );
+  const {
+    addTests,
+    createTestDefinitions,
+    expectSavedObjectForbidden,
+  } = resolveImportErrorsTestSuiteFactory(es, esArchiver, supertest);
   const createTests = (overwrite: boolean, createNewCopies: boolean, spaceId: string) => {
     // use singleRequest to reduce execution time and/or test combined cases
     const singleRequest = true;
@@ -107,7 +107,11 @@ export default function ({ getService }: FtrProviderContext) {
             createNewCopies,
             spaceId,
             singleRequest,
-            responseBodyOverride: expectForbidden(['globaltype', 'isolatedtype', 'sharedtype']),
+            responseBodyOverride: expectSavedObjectForbidden([
+              'globaltype',
+              'isolatedtype',
+              'sharedtype',
+            ]),
           }),
         ].flat(),
         authorized: createTestDefinitions(all, false, { createNewCopies, spaceId, singleRequest }),
@@ -126,7 +130,7 @@ export default function ({ getService }: FtrProviderContext) {
           overwrite,
           spaceId,
           singleRequest,
-          responseBodyOverride: expectForbidden(['globaltype', 'isolatedtype']),
+          responseBodyOverride: expectSavedObjectForbidden(['globaltype', 'isolatedtype']),
         }),
         createTestDefinitions(group2, true, { overwrite, spaceId, singleRequest }),
       ].flat(),
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
index dc340f2c2aa7..a77f861de8c5 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
@@ -49,11 +49,11 @@ export default function ({ getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const es = getService('legacyEs');
 
-  const { addTests, createTestDefinitions, expectForbidden } = bulkCreateTestSuiteFactory(
-    es,
-    esArchiver,
-    supertest
-  );
+  const {
+    addTests,
+    createTestDefinitions,
+    expectSavedObjectForbidden,
+  } = bulkCreateTestSuiteFactory(es, esArchiver, supertest);
   const createTests = (overwrite: boolean, user: TestUser) => {
     const { normalTypes, hiddenType, allTypes } = createTestCases(overwrite);
     // use singleRequest to reduce execution time and/or test combined cases
@@ -65,7 +65,7 @@ export default function ({ getService }: FtrProviderContext) {
         createTestDefinitions(allTypes, true, overwrite, {
           user,
           singleRequest: true,
-          responseBodyOverride: expectForbidden(['hiddentype']),
+          responseBodyOverride: expectSavedObjectForbidden(['hiddentype']),
         }),
       ].flat(),
       superuser: createTestDefinitions(allTypes, false, overwrite, { user, singleRequest: true }),
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
index 96eddf1f8bd3..7f6df87cbb6c 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
@@ -38,7 +38,7 @@ export default function ({ getService }: FtrProviderContext) {
   const supertest = getService('supertestWithoutAuth');
   const esArchiver = getService('esArchiver');
 
-  const { addTests, createTestDefinitions, expectForbidden } = bulkGetTestSuiteFactory(
+  const { addTests, createTestDefinitions, expectSavedObjectForbidden } = bulkGetTestSuiteFactory(
     esArchiver,
     supertest
   );
@@ -52,7 +52,7 @@ export default function ({ getService }: FtrProviderContext) {
         createTestDefinitions(hiddenType, true),
         createTestDefinitions(allTypes, true, {
           singleRequest: true,
-          responseBodyOverride: expectForbidden(['hiddentype']),
+          responseBodyOverride: expectSavedObjectForbidden(['hiddentype']),
         }),
       ].flat(),
       superuser: createTestDefinitions(allTypes, false, { singleRequest: true }),
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_update.ts b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_update.ts
index 2a19c56f80ce..5523cd46a91a 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/bulk_update.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/bulk_update.ts
@@ -57,10 +57,11 @@ export default function ({ getService }: FtrProviderContext) {
   const supertest = getService('supertestWithoutAuth');
   const esArchiver = getService('esArchiver');
 
-  const { addTests, createTestDefinitions, expectForbidden } = bulkUpdateTestSuiteFactory(
-    esArchiver,
-    supertest
-  );
+  const {
+    addTests,
+    createTestDefinitions,
+    expectSavedObjectForbidden,
+  } = bulkUpdateTestSuiteFactory(esArchiver, supertest);
   const createTests = () => {
     const { normalTypes, hiddenType, allTypes, withObjectNamespaces } = createTestCases();
     // use singleRequest to reduce execution time and/or test combined cases
@@ -74,7 +75,7 @@ export default function ({ getService }: FtrProviderContext) {
         createTestDefinitions(hiddenType, true),
         createTestDefinitions(allTypes, true, {
           singleRequest: true,
-          responseBodyOverride: expectForbidden(['hiddentype']),
+          responseBodyOverride: expectSavedObjectForbidden(['hiddentype']),
         }),
         createTestDefinitions(withObjectNamespaces, false, { singleRequest: true }),
       ].flat(),
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/import.ts b/x-pack/test/saved_object_api_integration/security_only/apis/import.ts
index df763dba6d18..7eb14dd48f94 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/import.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/import.ts
@@ -79,7 +79,7 @@ export default function ({ getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const es = getService('legacyEs');
 
-  const { addTests, createTestDefinitions, expectForbidden } = importTestSuiteFactory(
+  const { addTests, createTestDefinitions, expectSavedObjectForbidden } = importTestSuiteFactory(
     es,
     esArchiver,
     supertest
@@ -97,7 +97,7 @@ export default function ({ getService }: FtrProviderContext) {
           createTestDefinitions(all, true, {
             createNewCopies,
             singleRequest,
-            responseBodyOverride: expectForbidden([
+            responseBodyOverride: expectSavedObjectForbidden([
               'dashboard',
               'globaltype',
               'isolatedtype',
@@ -124,7 +124,11 @@ export default function ({ getService }: FtrProviderContext) {
         createTestDefinitions(group1All, true, {
           overwrite,
           singleRequest,
-          responseBodyOverride: expectForbidden(['dashboard', 'globaltype', 'isolatedtype']),
+          responseBodyOverride: expectSavedObjectForbidden([
+            'dashboard',
+            'globaltype',
+            'isolatedtype',
+          ]),
         }),
         createTestDefinitions(group2, true, { overwrite, singleRequest }),
         createTestDefinitions(group3, true, { overwrite, singleRequest }),
diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/resolve_import_errors.ts b/x-pack/test/saved_object_api_integration/security_only/apis/resolve_import_errors.ts
index 22734e95da0b..30845706a89c 100644
--- a/x-pack/test/saved_object_api_integration/security_only/apis/resolve_import_errors.ts
+++ b/x-pack/test/saved_object_api_integration/security_only/apis/resolve_import_errors.ts
@@ -62,11 +62,11 @@ export default function ({ getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
   const es = getService('legacyEs');
 
-  const { addTests, createTestDefinitions, expectForbidden } = resolveImportErrorsTestSuiteFactory(
-    es,
-    esArchiver,
-    supertest
-  );
+  const {
+    addTests,
+    createTestDefinitions,
+    expectSavedObjectForbidden,
+  } = resolveImportErrorsTestSuiteFactory(es, esArchiver, supertest);
   const createTests = (overwrite: boolean, createNewCopies: boolean) => {
     // use singleRequest to reduce execution time and/or test combined cases
     const singleRequest = true;
@@ -80,7 +80,11 @@ export default function ({ getService }: FtrProviderContext) {
           createTestDefinitions(all, true, {
             createNewCopies,
             singleRequest,
-            responseBodyOverride: expectForbidden(['globaltype', 'isolatedtype', 'sharedtype']),
+            responseBodyOverride: expectSavedObjectForbidden([
+              'globaltype',
+              'isolatedtype',
+              'sharedtype',
+            ]),
           }),
         ].flat(),
         authorized: createTestDefinitions(all, false, { createNewCopies, singleRequest }),
@@ -95,7 +99,7 @@ export default function ({ getService }: FtrProviderContext) {
         createTestDefinitions(group1All, true, {
           overwrite,
           singleRequest,
-          responseBodyOverride: expectForbidden(['globaltype', 'isolatedtype']),
+          responseBodyOverride: expectSavedObjectForbidden(['globaltype', 'isolatedtype']),
         }),
         createTestDefinitions(group2, true, { overwrite, singleRequest }),
       ].flat(),
diff --git a/x-pack/test/spaces_api_integration/common/suites/copy_to_space.ts b/x-pack/test/spaces_api_integration/common/suites/copy_to_space.ts
index ee7a2fb73165..2039134f68bb 100644
--- a/x-pack/test/spaces_api_integration/common/suites/copy_to_space.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/copy_to_space.ts
@@ -124,7 +124,15 @@ export function copyToSpaceTestSuiteFactory(
     });
   };
 
-  const expectNotFoundResponse = async (resp: TestResponse) => {
+  const expectRouteForbiddenResponse = async (resp: TestResponse) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: 'Forbidden',
+    });
+  };
+
+  const expectRouteNotFoundResponse = async (resp: TestResponse) => {
     expect(resp.body).to.eql({
       statusCode: 404,
       error: 'Not Found',
@@ -419,7 +427,7 @@ export function copyToSpaceTestSuiteFactory(
   ) => (overwrite: boolean): CopyToSpaceMultiNamespaceTest[] => {
     // the status code of the HTTP response differs depending on the error type
     // a 403 error actually comes back as an HTTP 200 response
-    const statusCode = outcome === 'noAccess' ? 404 : 200;
+    const statusCode = outcome === 'noAccess' ? 403 : 200;
     const type = 'sharedtype';
     const v4 = new RegExp(/^[0-9A-F]{8}-[0-9A-F]{4}-4[0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i);
     const noConflictId = `${spaceId}_only`;
@@ -428,7 +436,7 @@ export function copyToSpaceTestSuiteFactory(
     const ambiguousConflictId = `conflict_2_${spaceId}`;
 
     const getResult = (response: TestResponse) => (response.body as CopyResponse).space_2;
-    const expectForbiddenResponse = (response: TestResponse) => {
+    const expectSavedObjectForbiddenResponse = (response: TestResponse) => {
       expect(response.body).to.eql({
         space_2: {
           success: false,
@@ -456,10 +464,10 @@ export function copyToSpaceTestSuiteFactory(
             expect(successResults).to.eql([{ type, id: noConflictId, meta, destinationId }]);
             expect(errors).to.be(undefined);
           } else if (outcome === 'noAccess') {
-            expectNotFoundResponse(response);
+            expectRouteForbiddenResponse(response);
           } else {
             // unauthorized read/write
-            expectForbiddenResponse(response);
+            expectSavedObjectForbiddenResponse(response);
           }
         },
       },
@@ -486,10 +494,10 @@ export function copyToSpaceTestSuiteFactory(
               ]);
             }
           } else if (outcome === 'noAccess') {
-            expectNotFoundResponse(response);
+            expectRouteForbiddenResponse(response);
           } else {
             // unauthorized read/write
-            expectForbiddenResponse(response);
+            expectSavedObjectForbiddenResponse(response);
           }
         },
       },
@@ -525,10 +533,10 @@ export function copyToSpaceTestSuiteFactory(
               ]);
             }
           } else if (outcome === 'noAccess') {
-            expectNotFoundResponse(response);
+            expectRouteForbiddenResponse(response);
           } else {
             // unauthorized read/write
-            expectForbiddenResponse(response);
+            expectSavedObjectForbiddenResponse(response);
           }
         },
       },
@@ -561,10 +569,10 @@ export function copyToSpaceTestSuiteFactory(
               },
             ]);
           } else if (outcome === 'noAccess') {
-            expectNotFoundResponse(response);
+            expectRouteForbiddenResponse(response);
           } else {
             // unauthorized read/write
-            expectForbiddenResponse(response);
+            expectSavedObjectForbiddenResponse(response);
           }
         },
       },
@@ -743,7 +751,8 @@ export function copyToSpaceTestSuiteFactory(
     expectNoConflictsForNonExistentSpaceResult,
     createExpectWithConflictsOverwritingResult,
     createExpectWithConflictsWithoutOverwritingResult,
-    expectNotFoundResponse,
+    expectRouteForbiddenResponse,
+    expectRouteNotFoundResponse,
     createExpectUnauthorizedAtSpaceWithReferencesResult,
     createExpectUnauthorizedAtSpaceWithoutReferencesResult,
     createMultiNamespaceTestCases,
diff --git a/x-pack/test/spaces_api_integration/common/suites/resolve_copy_to_space_conflicts.ts b/x-pack/test/spaces_api_integration/common/suites/resolve_copy_to_space_conflicts.ts
index eba7e2033ead..63f5de197644 100644
--- a/x-pack/test/spaces_api_integration/common/suites/resolve_copy_to_space_conflicts.ts
+++ b/x-pack/test/spaces_api_integration/common/suites/resolve_copy_to_space_conflicts.ts
@@ -200,7 +200,15 @@ export function resolveCopyToSpaceConflictsSuite(
     expect(visualization.attributes.title).to.eql(`CTS vis 3 from ${destination} space`);
   };
 
-  const expectNotFoundResponse = async (resp: TestResponse) => {
+  const expectRouteForbiddenResponse = async (resp: TestResponse) => {
+    expect(resp.body).to.eql({
+      statusCode: 403,
+      error: 'Forbidden',
+      message: 'Forbidden',
+    });
+  };
+
+  const expectRouteNotFoundResponse = async (resp: TestResponse) => {
     expect(resp.body).to.eql({
       statusCode: 404,
       error: 'Not Found',
@@ -308,7 +316,7 @@ export function resolveCopyToSpaceConflictsSuite(
   ) => (): ResolveCopyToSpaceMultiNamespaceTest[] => {
     // the status code of the HTTP response differs depending on the error type
     // a 403 error actually comes back as an HTTP 200 response
-    const statusCode = outcome === 'noAccess' ? 404 : 200;
+    const statusCode = outcome === 'noAccess' ? 403 : 200;
     const type = 'sharedtype';
     const exactMatchId = 'each_space';
     const inexactMatchId = `conflict_1_${spaceId}`;
@@ -316,7 +324,7 @@ export function resolveCopyToSpaceConflictsSuite(
 
     const createRetries = (overwriteRetry: Record<string, any>) => ({ space_2: [overwriteRetry] });
     const getResult = (response: TestResponse) => (response.body as CopyResponse).space_2;
-    const expectForbiddenResponse = (response: TestResponse) => {
+    const expectSavedObjectForbiddenResponse = (response: TestResponse) => {
       expect(response.body).to.eql({
         space_2: {
           success: false,
@@ -327,7 +335,11 @@ export function resolveCopyToSpaceConflictsSuite(
         },
       });
     };
-    const expectSuccessResponse = (response: TestResponse, id: string, destinationId?: string) => {
+    const expectSavedObjectSuccessResponse = (
+      response: TestResponse,
+      id: string,
+      destinationId?: string
+    ) => {
       const { success, successCount, successResults, errors } = getResult(response);
       expect(success).to.eql(true);
       expect(successCount).to.eql(1);
@@ -350,12 +362,12 @@ export function resolveCopyToSpaceConflictsSuite(
         statusCode,
         response: async (response: TestResponse) => {
           if (outcome === 'authorized') {
-            expectSuccessResponse(response, exactMatchId);
+            expectSavedObjectSuccessResponse(response, exactMatchId);
           } else if (outcome === 'noAccess') {
-            expectNotFoundResponse(response);
+            expectRouteForbiddenResponse(response);
           } else {
             // unauthorized read/write
-            expectForbiddenResponse(response);
+            expectSavedObjectForbiddenResponse(response);
           }
         },
       },
@@ -371,12 +383,12 @@ export function resolveCopyToSpaceConflictsSuite(
         statusCode,
         response: async (response: TestResponse) => {
           if (outcome === 'authorized') {
-            expectSuccessResponse(response, inexactMatchId, 'conflict_1_space_2');
+            expectSavedObjectSuccessResponse(response, inexactMatchId, 'conflict_1_space_2');
           } else if (outcome === 'noAccess') {
-            expectNotFoundResponse(response);
+            expectRouteForbiddenResponse(response);
           } else {
             // unauthorized read/write
-            expectForbiddenResponse(response);
+            expectSavedObjectForbiddenResponse(response);
           }
         },
       },
@@ -392,12 +404,12 @@ export function resolveCopyToSpaceConflictsSuite(
         statusCode,
         response: async (response: TestResponse) => {
           if (outcome === 'authorized') {
-            expectSuccessResponse(response, ambiguousConflictId, 'conflict_2_space_2');
+            expectSavedObjectSuccessResponse(response, ambiguousConflictId, 'conflict_2_space_2');
           } else if (outcome === 'noAccess') {
-            expectNotFoundResponse(response);
+            expectRouteForbiddenResponse(response);
           } else {
             // unauthorized read/write
-            expectForbiddenResponse(response);
+            expectSavedObjectForbiddenResponse(response);
           }
         },
       },
@@ -523,7 +535,8 @@ export function resolveCopyToSpaceConflictsSuite(
 
   return {
     resolveCopyToSpaceConflictsTest,
-    expectNotFoundResponse,
+    expectRouteForbiddenResponse,
+    expectRouteNotFoundResponse,
     createExpectOverriddenResponseWithReferences,
     createExpectOverriddenResponseWithoutReferences,
     createExpectNonOverriddenResponseWithReferences,
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/copy_to_space.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/copy_to_space.ts
index 0f1c27098af9..101b6990dac0 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/copy_to_space.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/copy_to_space.ts
@@ -24,7 +24,7 @@ export default function copyToSpaceSpacesAndSecuritySuite({ getService }: TestIn
     createExpectWithConflictsWithoutOverwritingResult,
     createExpectUnauthorizedAtSpaceWithReferencesResult,
     createExpectUnauthorizedAtSpaceWithoutReferencesResult,
-    expectNotFoundResponse,
+    expectRouteForbiddenResponse,
     createMultiNamespaceTestCases,
   } = copyToSpaceTestSuiteFactory(es, esArchiver, supertestWithoutAuth);
 
@@ -61,16 +61,19 @@ export default function copyToSpaceSpacesAndSecuritySuite({ getService }: TestIn
         spaceId,
         user,
         tests: {
-          noConflictsWithoutReferences: { statusCode: 404, response: expectNotFoundResponse },
-          noConflictsWithReferences: { statusCode: 404, response: expectNotFoundResponse },
-          withConflictsOverwriting: { statusCode: 404, response: expectNotFoundResponse },
-          withConflictsWithoutOverwriting: { statusCode: 404, response: expectNotFoundResponse },
-          multipleSpaces: {
-            statusCode: 404,
-            withConflictsResponse: expectNotFoundResponse,
-            noConflictsResponse: expectNotFoundResponse,
+          noConflictsWithoutReferences: { statusCode: 403, response: expectRouteForbiddenResponse },
+          noConflictsWithReferences: { statusCode: 403, response: expectRouteForbiddenResponse },
+          withConflictsOverwriting: { statusCode: 403, response: expectRouteForbiddenResponse },
+          withConflictsWithoutOverwriting: {
+            statusCode: 403,
+            response: expectRouteForbiddenResponse,
           },
-          nonExistentSpace: { statusCode: 404, response: expectNotFoundResponse },
+          multipleSpaces: {
+            statusCode: 403,
+            withConflictsResponse: expectRouteForbiddenResponse,
+            noConflictsResponse: expectRouteForbiddenResponse,
+          },
+          nonExistentSpace: { statusCode: 403, response: expectRouteForbiddenResponse },
           multiNamespaceTestCases: createMultiNamespaceTestCases(spaceId, 'noAccess'),
         },
       });
diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/resolve_copy_to_space_conflicts.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/resolve_copy_to_space_conflicts.ts
index b81f2965eba2..f04cfe876875 100644
--- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/resolve_copy_to_space_conflicts.ts
+++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/resolve_copy_to_space_conflicts.ts
@@ -21,7 +21,7 @@ export default function resolveCopyToSpaceConflictsTestSuite({ getService }: Tes
     createExpectNonOverriddenResponseWithoutReferences,
     createExpectOverriddenResponseWithReferences,
     createExpectOverriddenResponseWithoutReferences,
-    expectNotFoundResponse,
+    expectRouteForbiddenResponse,
     createExpectUnauthorizedAtSpaceWithReferencesResult,
     createExpectReadonlyAtSpaceWithReferencesResult,
     createExpectUnauthorizedAtSpaceWithoutReferencesResult,
@@ -63,24 +63,24 @@ export default function resolveCopyToSpaceConflictsTestSuite({ getService }: Tes
         user,
         tests: {
           withReferencesNotOverwriting: {
-            statusCode: 404,
-            response: expectNotFoundResponse,
+            statusCode: 403,
+            response: expectRouteForbiddenResponse,
           },
           withReferencesOverwriting: {
-            statusCode: 404,
-            response: expectNotFoundResponse,
+            statusCode: 403,
+            response: expectRouteForbiddenResponse,
           },
           withoutReferencesOverwriting: {
-            statusCode: 404,
-            response: expectNotFoundResponse,
+            statusCode: 403,
+            response: expectRouteForbiddenResponse,
           },
           withoutReferencesNotOverwriting: {
-            statusCode: 404,
-            response: expectNotFoundResponse,
+            statusCode: 403,
+            response: expectRouteForbiddenResponse,
           },
           nonExistentSpace: {
-            statusCode: 404,
-            response: expectNotFoundResponse,
+            statusCode: 403,
+            response: expectRouteForbiddenResponse,
           },
           multiNamespaceTestCases: createMultiNamespaceTestCases(spaceId, 'noAccess'),
         },