diff --git a/x-pack/test_serverless/functional/test_suites/security/cypress/e2e/endpoint_management/roles/complete_with_endpoint_roles.cy.ts b/x-pack/test_serverless/functional/test_suites/security/cypress/e2e/endpoint_management/roles/complete_with_endpoint_roles.cy.ts
index 6b54dab96857..30247aae8201 100644
--- a/x-pack/test_serverless/functional/test_suites/security/cypress/e2e/endpoint_management/roles/complete_with_endpoint_roles.cy.ts
+++ b/x-pack/test_serverless/functional/test_suites/security/cypress/e2e/endpoint_management/roles/complete_with_endpoint_roles.cy.ts
@@ -13,6 +13,7 @@ import {
   EndpointArtifactPageId,
   ensureArtifactPageAuthzAccess,
   ensureEndpointListPageAuthzAccess,
+  ensurePolicyListPageAuthzAccess,
   getArtifactListEmptyStateAddButton,
   getEndpointManagementPageList,
   getEndpointManagementPageMap,
@@ -31,6 +32,7 @@ import {
   getConsoleHelpPanelResponseActionTestSubj,
   openConsoleHelpPanel,
 } from '../../../screens/endpoint_management/response_console';
+import { ensurePolicyDetailsPageAuthzAccess } from '../../../screens/endpoint_management/policy_details';
 
 describe(
   'User Roles for Security Complete PLI with Endpoint Complete addon',
@@ -132,6 +134,11 @@ describe(
         ensureEndpointListPageAuthzAccess('all', true);
       });
 
+      it('should have read access to Endpoint Policy Management', () => {
+        ensurePolicyListPageAuthzAccess('read', true);
+        ensurePolicyDetailsPageAuthzAccess(loadedEndpoints.integrationPolicies[0].id, 'read', true);
+      });
+
       for (const { title, id } of artifactPagesFullAccess) {
         it(`should have CRUD access to: ${title}`, () => {
           ensureArtifactPageAuthzAccess('all', id as EndpointArtifactPageId);
diff --git a/x-pack/test_serverless/functional/test_suites/security/cypress/e2e/endpoint_management/roles/essentials_with_endpoint.roles.cy.ts b/x-pack/test_serverless/functional/test_suites/security/cypress/e2e/endpoint_management/roles/essentials_with_endpoint.roles.cy.ts
index 0f46da5baa72..95f30254e7fb 100644
--- a/x-pack/test_serverless/functional/test_suites/security/cypress/e2e/endpoint_management/roles/essentials_with_endpoint.roles.cy.ts
+++ b/x-pack/test_serverless/functional/test_suites/security/cypress/e2e/endpoint_management/roles/essentials_with_endpoint.roles.cy.ts
@@ -23,6 +23,7 @@ import {
   visitFleetAgentList,
 } from '../../../screens';
 import { ServerlessRoleName } from '../../../../../../../shared/lib';
+import { ensurePolicyDetailsPageAuthzAccess } from '../../../screens/endpoint_management/policy_details';
 
 describe(
   'Roles for Security Essential PLI with Endpoint Essentials addon',
@@ -98,6 +99,7 @@ describe(
 
       it('should have read access to Endpoint Policy Management', () => {
         ensurePolicyListPageAuthzAccess('read', true);
+        ensurePolicyDetailsPageAuthzAccess(loadedEndpoints.integrationPolicies[0].id, 'read', true);
       });
 
       for (const { title, id } of artifactPagesFullAccess) {
@@ -173,6 +175,7 @@ describe(
 
       it('should have access to policy management', () => {
         ensurePolicyListPageAuthzAccess('all', true);
+        ensurePolicyDetailsPageAuthzAccess(loadedEndpoints.integrationPolicies[0].id, 'all', true);
       });
 
       it(`should NOT have access to Host Isolation Exceptions`, () => {
diff --git a/x-pack/test_serverless/functional/test_suites/security/cypress/screens/endpoint_management/policy_details.ts b/x-pack/test_serverless/functional/test_suites/security/cypress/screens/endpoint_management/policy_details.ts
index 2ba5de32cbab..fd8fb40f2ac1 100644
--- a/x-pack/test_serverless/functional/test_suites/security/cypress/screens/endpoint_management/policy_details.ts
+++ b/x-pack/test_serverless/functional/test_suites/security/cypress/screens/endpoint_management/policy_details.ts
@@ -6,7 +6,29 @@
  */
 
 import { APP_POLICIES_PATH } from '@kbn/security-solution-plugin/common/constants';
+import { UserAuthzAccessLevel } from './types';
+import { getNoPrivilegesPage } from './common';
 
 export const visitPolicyDetails = (policyId: string): Cypress.Chainable => {
   return cy.visit(`${APP_POLICIES_PATH}/${policyId}`);
 };
+
+export const ensurePolicyDetailsPageAuthzAccess = (
+  policyId: string,
+  accessLevel: UserAuthzAccessLevel,
+  visitPage: boolean = false
+): Cypress.Chainable => {
+  if (visitPage) {
+    visitPolicyDetails(policyId);
+  }
+
+  if (accessLevel === 'none') {
+    return getNoPrivilegesPage().should('exist');
+  }
+
+  if (accessLevel === 'read') {
+    return cy.getByTestSubj('policyDetailsSaveButton').should('not.exist');
+  }
+
+  return cy.getByTestSubj('policyDetailsSaveButton').should('exist');
+};
diff --git a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml
index eff113dee5ac..8c866d0a5a7b 100644
--- a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml
+++ b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml
@@ -165,7 +165,7 @@ t3_analyst:
         - event_filters_all
         - host_isolation_exceptions_all
         - blocklist_all
-        - policy_management_all # Elastic Defend Policy Management
+        - policy_management_read # Elastic Defend Policy Management
         - host_isolation_all
         - process_operations_all
         - actions_log_management_all # Response actions history