diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common
index b48f84b90..a89f93eea 100755
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -252,6 +252,7 @@ lookup_salt_value() {
 	key=$1
 	group=$2
 	kind=$3
+	output=${4:-newline_values_only}
 
 	if [ -z "$kind" ]; then
 		kind=pillar
@@ -261,7 +262,7 @@ lookup_salt_value() {
 		group=${group}:
 	fi
 
-	salt-call --no-color  ${kind}.get ${group}${key} --out=newline_values_only
+	salt-call --no-color  ${kind}.get ${group}${key} --out=${output}
 }
 
 lookup_pillar() {
diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index 1ff637d23..cc3a0756c 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -136,39 +136,82 @@ function createElasticTmpFile() {
   echo "$tmpFile"
 }
 
+function syncElasticSystemUser() {
+  json=$1
+  userid=$2
+  usersFile=$3
+
+  user=$(echo "$json" | jq -r ".local.users.$userid.user")
+  pass=$(echo "$json" | jq -r ".local.users.$userid.pass")
+  
+  [[ -z "$user" || -z "$pass" ]] && fail "Elastic auth credentials for system user '$userid' are missing"
+  hash=$(hashPassword "$pass")
+
+  echo "${user}:${hash}" >> "$usersFile"
+}
+
+function syncElasticSystemRole() {
+  json=$1
+  userid=$2
+  role=$3
+  rolesFile=$4
+
+  user=$(echo "$json" | jq -r ".local.users.$userid.user")
+  
+  [[ -z "$user" ]] && fail "Elastic auth credentials for system user '$userid' are missing"
+
+  echo "${role}:${user}" >> "$rolesFile"
+}
+
 function syncElastic() {
   usersFileTmp=$(createElasticTmpFile "${elasticUsersFile}")
   rolesFileTmp=$(createElasticTmpFile "${elasticRolesFile}")
 
-  sysUser=$(lookup_pillar "auth:user" "elasticsearch")
-  sysPass=$(lookup_pillar "auth:pass" "elasticsearch")
-  [[ -z "$sysUser" || -z "$sysPass" ]] && fail "Elastic auth credentials for system user are missing"
-  sysHash=$(hashPassword "$sysPass")
+  authPillarJson=$(lookup_salt_value "auth" "elasticsearch" "pillar" "json")
 
-  # Generate the new users file
-  echo "${sysUser}:${sysHash}" >> "$usersFileTmp"
-  echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
-    "from identity_credential_identifiers ici, identity_credentials ic " \
-    "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \
-    "order by ici.identifier;" | \
-    sqlite3 "$databasePath" | \
-    jq -r '.user + ":" + .data.hashed_password' \
-    >> "$usersFileTmp"
-  [[ $? != 0 ]] && fail "Unable to read credential hashes from database"
-  mv -f "$usersFileTmp" "$elasticUsersFile"
-  [[ $? != 0 ]] && fail "Unable to create users file: $elasticUsersFile"
+  syncElasticSystemUser "$authPillarJson" "so_elastic_user"  "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_elastic_user"  "superuser" "$rolesFileTmp"
 
-  # Generate the new users_roles file
-  echo "superuser:${sysUser}" >> "$rolesFileTmp"
-  echo "select 'superuser:' || ici.identifier " \
-    "from identity_credential_identifiers ici, identity_credentials ic " \
-    "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \
-    "order by ici.identifier;" | \
-    sqlite3 "$databasePath" \
-    >> "$rolesFileTmp"
-  [[ $? != 0 ]] && fail "Unable to read credential IDs from database"
-  mv -f "$rolesFileTmp" "$elasticRolesFile"
-  [[ $? != 0 ]] && fail "Unable to create users file: $elasticRolesFile"
+  syncElasticSystemUser "$authPillarJson" "so_kibana_user"   "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_kibana_user"   "kibana_system" "$rolesFileTmp"
+
+  syncElasticSystemUser "$authPillarJson" "so_logstash_user" "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_logstash_user" "logstash_system" "$rolesFileTmp"
+
+  syncElasticSystemUser "$authPillarJson" "so_beats_user"    "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_beats_user"    "beats_system" "$rolesFileTmp"
+
+  syncElasticSystemUser "$authPillarJson" "so_monitor_user"  "$usersFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_monitor_user"  "remote_monitoring_collector" "$rolesFileTmp"
+  syncElasticSystemRole "$authPillarJson" "so_monitor_user"  "remote_monitoring_agent" "$rolesFileTmp"
+
+  if [[ -f "$databasePath" ]]; then
+    # Generate the new users file
+    echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
+      "from identity_credential_identifiers ici, identity_credentials ic " \
+      "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \
+      "order by ici.identifier;" | \
+      sqlite3 "$databasePath" | \
+      jq -r '.user + ":" + .data.hashed_password' \
+      >> "$usersFileTmp"
+    [[ $? != 0 ]] && fail "Unable to read credential hashes from database"
+    mv -f "$usersFileTmp" "$elasticUsersFile"
+    [[ $? != 0 ]] && fail "Unable to create users file: $elasticUsersFile"
+
+    # Generate the new users_roles file
+    
+    echo "select 'superuser:' || ici.identifier " \
+      "from identity_credential_identifiers ici, identity_credentials ic " \
+      "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \
+      "order by ici.identifier;" | \
+      sqlite3 "$databasePath" \
+      >> "$rolesFileTmp"
+    [[ $? != 0 ]] && fail "Unable to read credential IDs from database"
+    mv -f "$rolesFileTmp" "$elasticRolesFile"
+    [[ $? != 0 ]] && fail "Unable to create users file: $elasticRolesFile"
+  else
+    info "Database file does not exist yet, skipping users export"
+  fi
 }
 
 function syncAll() {
diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml
index fed45bf79..de6b99000 100644
--- a/salt/elasticsearch/files/elasticsearch.yml
+++ b/salt/elasticsearch/files/elasticsearch.yml
@@ -30,11 +30,13 @@ xpack.security.http.ssl.client_authentication: none
 xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch.key
 xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.crt
 xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca.crt
+{% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %}
 xpack.security.authc:
   anonymous:
     username: anonymous_user
     roles: superuser
     authz_exception: true
+{% endif %}
 node.name: {{ grains.host }}
 script.max_compilations_rate: 1000/1m
 {%- if TRUECLUSTER is sameas true %}
diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 4d5ce4921..86d7623d0 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -214,8 +214,6 @@ so-elasticsearch:
     - binds:
       - /opt/so/conf/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
       - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
-      - /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro
-      - /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro
       - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
       - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
       - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
diff --git a/salt/kibana/etc/kibana.yml b/salt/kibana/etc/kibana.yml
index 856f87909..501d93c8a 100644
--- a/salt/kibana/etc/kibana.yml
+++ b/salt/kibana/etc/kibana.yml
@@ -14,7 +14,9 @@ elasticsearch.requestTimeout: 90000
 logging.dest: /var/log/kibana/kibana.log
 telemetry.enabled: false
 security.showInsecureClusterWarning: false
+{% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %}
 xpack.security.authc.providers:
   anonymous.anonymous1:
     order: 0
     credentials: "elasticsearch_anonymous_user" 
+{% endif %}
\ No newline at end of file