diff --git a/src/main/java/org/opensearch/security/configuration/SystemIndexSearcherWrapper.java b/src/main/java/org/opensearch/security/configuration/SystemIndexSearcherWrapper.java
index 8e89b60712..c8cc6885d2 100644
--- a/src/main/java/org/opensearch/security/configuration/SystemIndexSearcherWrapper.java
+++ b/src/main/java/org/opensearch/security/configuration/SystemIndexSearcherWrapper.java
@@ -167,7 +167,7 @@ protected final boolean isBlockedSystemIndexRequest() {
             }
             final TransportAddress caller = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS);
             final Set<String> mappedRoles = evaluator.mapRoles(user, caller);
-            final SecurityRoles securityRoles = evaluator.getSecurityRoles(mappedRoles);
+            final SecurityRoles securityRoles = evaluator.filterSecurityRolesFromCache(mappedRoles);
             return !securityRoles.isPermittedOnSystemIndex(index.getName());
         }
         return true;
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
index 195f819f7b..1d904fc5bb 100644
--- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
+++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -194,7 +194,22 @@ public void onDynamicConfigModelChanged(DynamicConfigModel dcm) {
         this.dcm = dcm;
     }
 
-    public SecurityRoles getSecurityRoles(Set<String> roles) {
+    public SecurityRoles getSecurityRoles(User user, Set<String> roles) {
+        SecurityRoles securityRoles;
+        if (user.isPluginUser()) {
+            securityRoles = getSecurityRoleForPlugin(user.getName());
+        } else {
+            securityRoles = filterSecurityRolesFromCache(roles);
+
+            // Add the security roles for this user so that they can be used for DLS parameter substitution.
+            user.addSecurityRoles(roles);
+            setUserInfoInThreadContext(user);
+        }
+
+        return securityRoles;
+    }
+
+    public SecurityRoles filterSecurityRolesFromCache(Set<String> roles) {
         return configModel.getSecurityRoles().filter(roles);
     }
 
@@ -214,7 +229,7 @@ public boolean hasRestAdminPermissions(final User user, final TransportAddress r
     }
 
     private boolean hasRestAdminPermissions(final Set<String> roles, String permission) {
-        final SecurityRoles securityRoles = getSecurityRoles(roles);
+        final SecurityRoles securityRoles = filterSecurityRolesFromCache(roles);
         return securityRoles.hasExplicitClusterPermissionPermission(permission);
     }
 
@@ -294,16 +309,7 @@ public PrivilegesEvaluatorResponse evaluate(PrivilegesEvaluationContext context)
             context.setMappedRoles(mappedRoles);
         }
         presponse.resolvedSecurityRoles.addAll(mappedRoles);
-        final SecurityRoles securityRoles;
-        if (user.isPluginUser()) {
-            securityRoles = getSecurityRoleForPlugin(user.getName());
-        } else {
-            securityRoles = getSecurityRoles(mappedRoles);
-        }
-
-        // Add the security roles for this user so that they can be used for DLS parameter substitution.
-        user.addSecurityRoles(mappedRoles);
-        setUserInfoInThreadContext(user);
+        final SecurityRoles securityRoles = getSecurityRoles(user, mappedRoles);
 
         final boolean isDebugEnabled = log.isDebugEnabled();
         if (isDebugEnabled) {