diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja
index 3457b8384..3c4de2229 100644
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -238,6 +238,10 @@
     {% do allowed_states.append('elasticsearch') %}
   {% endif %}
 
+  {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
+    {% do allowed_states.append('elasticsearch.auth') %}
+  {% endif %}
+
   {% if KIBANA and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
     {% do allowed_states.append('kibana') %}
     {% do allowed_states.append('kibana.secrets') %}
diff --git a/salt/elasticsearch/auth.sls b/salt/elasticsearch/auth.sls
index 35d669892..24c51ec32 100644
--- a/salt/elasticsearch/auth.sls
+++ b/salt/elasticsearch/auth.sls
@@ -1,8 +1,11 @@
-{% set so_elastic_user_pass = salt['random.get_str'](72) %}
-{% set so_kibana_user_pass = salt['random.get_str'](72) %}
-{% set so_logstash_user_pass = salt['random.get_str'](72) %}
-{% set so_beats_user_pass = salt['random.get_str'](72) %}
-{% set so_monitor_user_pass = salt['random.get_str'](72) %}
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
+
+  {% set so_elastic_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', salt['random.get_str'](72)) %}
+  {% set so_kibana_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass', salt['random.get_str'](72)) %}
+  {% set so_logstash_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', salt['random.get_str'](72)) %}
+  {% set so_beats_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_beats_user:pass', salt['random.get_str'](72)) %}
+  {% set so_monitor_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_monitor_user:pass', salt['random.get_str'](72)) %}
 
 elastic_auth_pillar:
   file.managed:
@@ -29,11 +32,11 @@ elastic_auth_pillar:
               so_monitor_user:
                 user: so_monitor
                 pass: {{ so_monitor_user_pass }}
-    # since we are generating a random password, and we don't want that to happen everytime
-    # a highstate runs, we only manage the file each user isn't present in the file. if the
-    # pillar file doesn't exists, then the default vault provided to pillar.get should not
-    # be within the file either, so it should then be created
-    - unless:
-    {% for so_app_user, values in salt['pillar.get']('elasticsearch:auth:users', {'so_noapp_user': {'user': 'r@NDumu53Rd0NtDOoP'}}).items() %}
-      - grep {{ values.user }} /opt/so/saltstack/local/pillar/elasticsearch/auth.sls
-    {% endfor%}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
diff --git a/salt/kibana/secrets.sls b/salt/kibana/secrets.sls
index 52bb5d54c..8bc2c2cc4 100644
--- a/salt/kibana/secrets.sls
+++ b/salt/kibana/secrets.sls
@@ -1,7 +1,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
-{% set kibana_encryptedSavedObjects_encryptionKey = salt['pillar.get']('kibana:secrets:encryptedSavedObjects:encryptionKey', salt['random.get_str'](72)) %}
+  {% set kibana_encryptedSavedObjects_encryptionKey = salt['pillar.get']('kibana:secrets:encryptedSavedObjects:encryptionKey', salt['random.get_str'](72)) %}
 
 kibana_pillar_directory:
   file.directory: