diff --git a/server/src/main/java/org/elasticsearch/transport/TransportActionProxy.java b/server/src/main/java/org/elasticsearch/transport/TransportActionProxy.java
index a5b926249f8e2..e1e3c25f083cf 100644
--- a/server/src/main/java/org/elasticsearch/transport/TransportActionProxy.java
+++ b/server/src/main/java/org/elasticsearch/transport/TransportActionProxy.java
@@ -175,6 +175,14 @@ public static TransportRequest unwrapRequest(TransportRequest request) {
         return request;
     }
 
+    /**
+     * Unwraps a proxy action and returns the underlying action
+     */
+    public static String unwrapAction(String action) {
+        assert isProxyAction(action) : "Attempted to unwrap non-proxy action: " + action;
+        return action.substring(PROXY_ACTION_PREFIX.length());
+    }
+
     /**
      * Returns <code>true</code> iff the given action is a proxy action
      */
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java
index c673b8ee3276c..ca8318212c9ee 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/SystemPrivilege.java
@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.xpack.core.security.authz.privilege;
 
+import org.elasticsearch.transport.TransportActionProxy;
 import org.elasticsearch.xpack.core.security.support.Automatons;
 
 import java.util.Collections;
@@ -14,19 +15,27 @@ public final class SystemPrivilege extends Privilege {
 
     public static SystemPrivilege INSTANCE = new SystemPrivilege();
 
-    private static final Predicate<String> PREDICATE = Automatons.predicate(Automatons.
-            minusAndMinimize(Automatons.patterns(
-            "internal:*",
-            "indices:monitor/*", // added for monitoring
-            "cluster:monitor/*",  // added for monitoring
-            "cluster:admin/bootstrap/*", // for the bootstrap service
-            "cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener
-            "indices:admin/mapping/put", // needed for recovery and shrink api
-            "indices:admin/template/put", // needed for the TemplateUpgradeService
-            "indices:admin/template/delete", // needed for the TemplateUpgradeService
-            "indices:admin/seq_no/global_checkpoint_sync*", // needed for global checkpoint syncs
-            "indices:admin/settings/update" // needed for DiskThresholdMonitor.markIndicesReadOnly
-    ), Automatons.patterns("internal:transport/proxy/*"))); // no proxy actions for system user!
+    private static final Predicate<String> ALLOWED_ACTIONS = Automatons.predicate(
+        "internal:*",
+        "indices:monitor/*", // added for monitoring
+        "cluster:monitor/*",  // added for monitoring
+        "cluster:admin/bootstrap/*", // for the bootstrap service
+        "cluster:admin/reroute", // added for DiskThresholdDecider.DiskListener
+        "indices:admin/mapping/put", // needed for recovery and shrink api
+        "indices:admin/template/put", // needed for the TemplateUpgradeService
+        "indices:admin/template/delete", // needed for the TemplateUpgradeService
+        "indices:admin/seq_no/global_checkpoint_sync*", // needed for global checkpoint syncs
+        "indices:admin/settings/update" // needed for DiskThresholdMonitor.markIndicesReadOnly
+    );
+
+    private static final Predicate<String> PREDICATE = (action) -> {
+        // Only allow a proxy action if the underlying action is allowed
+        if (TransportActionProxy.isProxyAction(action)) {
+            return ALLOWED_ACTIONS.test(TransportActionProxy.unwrapAction(action));
+        } else {
+            return ALLOWED_ACTIONS.test(action);
+        }
+    };
 
     private SystemPrivilege() {
         super(Collections.singleton("internal"));
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java
index 58432cdf6c79e..1484e7a878141 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/PrivilegeTests.java
@@ -123,6 +123,7 @@ public void testSystem() throws Exception {
         assertThat(predicate.test("indices:admin/mapping/put"), is(true));
         assertThat(predicate.test("indices:admin/mapping/whatever"), is(false));
         assertThat(predicate.test("internal:transport/proxy/indices:data/read/query"), is(false));
+        assertThat(predicate.test("internal:transport/proxy/indices:monitor/whatever"), is(true));
         assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync"), is(true));
         assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync[p]"), is(true));
         assertThat(predicate.test("indices:admin/seq_no/global_checkpoint_sync[r]"), is(true));