diff --git a/x-pack/plugins/enterprise_search/server/lib/check_access.test.ts b/x-pack/plugins/enterprise_search/server/lib/check_access.test.ts
index a375b506c1fd3..11d4a387b533f 100644
--- a/x-pack/plugins/enterprise_search/server/lib/check_access.test.ts
+++ b/x-pack/plugins/enterprise_search/server/lib/check_access.test.ts
@@ -22,6 +22,11 @@ describe('checkAccess', () => {
           hasAllRequested: false,
         }),
       }),
+      actions: {
+        ui: {
+          get: () => null,
+        },
+      },
     },
   };
   const mockDependencies = {
@@ -60,12 +65,13 @@ describe('checkAccess', () => {
       });
     });
 
-    it("falls back to assuming a non-superuser role if a user's roles cannot be accessed", async () => {
+    it('falls back to assuming a non-superuser role if auth credentials are missing', async () => {
       const security = {
-        ...mockSecurity,
         authz: {
-          mode: { useRbacForRequest: () => true },
-          checkPrivilegesWithRequest: undefined,
+          ...mockSecurity.authz,
+          checkPrivilegesWithRequest: () => ({
+            globally: () => Promise.reject({ statusCode: 403 }),
+          }),
         },
       };
       expect(await checkAccess({ ...mockDependencies, security })).toEqual({
@@ -73,6 +79,16 @@ describe('checkAccess', () => {
         hasWorkplaceSearchAccess: false,
       });
     });
+
+    it('throws other authz errors', async () => {
+      const security = {
+        authz: {
+          ...mockSecurity.authz,
+          checkPrivilegesWithRequest: undefined,
+        },
+      };
+      await expect(checkAccess({ ...mockDependencies, security })).rejects.toThrow();
+    });
   });
 
   describe('when the user is a non-superuser', () => {
diff --git a/x-pack/plugins/enterprise_search/server/lib/check_access.ts b/x-pack/plugins/enterprise_search/server/lib/check_access.ts
index b8d315ade6d56..e5f996dcdfd71 100644
--- a/x-pack/plugins/enterprise_search/server/lib/check_access.ts
+++ b/x-pack/plugins/enterprise_search/server/lib/check_access.ts
@@ -54,7 +54,10 @@ export const checkAccess = async ({
         .globally(security.authz.actions.ui.get('enterprise_search', 'app_search'));
       return hasAllRequested;
     } catch (err) {
-      return false;
+      if (err.statusCode === 401 || err.statusCode === 403) {
+        return false;
+      }
+      throw err;
     }
   };
   if (await isSuperUser()) {