diff --git a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java
index 4a667ed629c63..a521a6f50cec7 100644
--- a/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java
+++ b/x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java
@@ -930,7 +930,7 @@ public void testCreateCrossClusterApiKey() throws IOException {
                     XContentTestUtils.convertToMap(
                         new RoleDescriptor(
                             "cross_cluster",
-                            new String[] { "cross_cluster_search", "cross_cluster_replication" },
+                            new String[] { "cross_cluster_search", "monitor_enrich", "cross_cluster_replication" },
                             new RoleDescriptor.IndicesPrivileges[] {
                                 RoleDescriptor.IndicesPrivileges.builder()
                                     .indices("metrics")
@@ -1126,7 +1126,7 @@ public void testUpdateCrossClusterApiKey() throws IOException {
         assertThat(updateResponse1.evaluate("updated"), is(true));
         final RoleDescriptor updatedRoleDescriptor1 = new RoleDescriptor(
             "cross_cluster",
-            new String[] { "cross_cluster_search", "cross_cluster_replication" },
+            new String[] { "cross_cluster_search", "monitor_enrich", "cross_cluster_replication" },
             new RoleDescriptor.IndicesPrivileges[] {
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("data")
@@ -1199,7 +1199,7 @@ public void testUpdateCrossClusterApiKey() throws IOException {
         final ObjectPath fetchResponse3 = fetchCrossClusterApiKeyById(apiKeyId);
         final RoleDescriptor updatedRoleDescriptors2 = new RoleDescriptor(
             "cross_cluster",
-            new String[] { "cross_cluster_search" },
+            new String[] { "cross_cluster_search", "monitor_enrich" },
             new RoleDescriptor.IndicesPrivileges[] {
                 RoleDescriptor.IndicesPrivileges.builder()
                     .indices("blogs")
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.java
index ae3a09af4751d..c6ed025d43efc 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.java
@@ -116,11 +116,11 @@ public String remoteActionDenied(
             String action,
             String clusterAlias
         ) {
-            assert isIndexAction(action);
             String userText = successfulAuthenticationDescription(authentication, authorizationInfo);
             String remoteClusterText = remoteClusterText(clusterAlias);
-            return actionIsUnauthorizedMessage(action, remoteClusterText, userText)
-                + " because no remote indices privileges apply for the target cluster";
+            String message = isIndexAction(action) ? " because no remote indices privileges apply for the target cluster"
+                : " because no remote cluster privileges apply for the target cluster";
+            return actionIsUnauthorizedMessage(action, remoteClusterText, userText) + message;
         }
 
         protected Collection<String> findClusterPrivilegesThatGrant(