elastic · lcawl · Nov 26, 2018 · Nov 23, 2018 · Nov 23, 2018
diff --git a/docs/en/stack/security/authorization/built-in-roles.asciidoc b/docs/en/stack/security/authorization/built-in-roles.asciidoc
@@ -47,10 +47,10 @@ information, see
 
 [[built-in-roles-kibana-system]] `kibana_system` ::
 Grants access necessary for the {kib} system user to read from and write to the
-{kib} indices, manage index templates, and check the availability of the {es} cluster.
-This role grants read access to the `.monitoring-*` indices and read and write access
-to the `.reporting-*` indices. For more information, see
-{kibana-ref}/using-kibana-with-security.html[Configuring Security in {kib}].
+{kib} indices, manage index templates and tokens, and check the availability of
+the {es} cluster. This role grants read access to the `.monitoring-*` indices
+and read and write access to the `.reporting-*` indices. For more information,
+see {kibana-ref}/using-kibana-with-security.html[Configuring Security in {kib}].
 +
 NOTE: This role should not be assigned to users as the granted permissions may
 change between releases.

diff --git a/docs/en/stack/security/authorization/privileges.asciidoc b/docs/en/stack/security/authorization/privileges.asciidoc
@@ -43,9 +43,13 @@ or updated them.
 All operations on ingest pipelines.
 
 `manage_security`::
-All security related operations such as CRUD operations on users and roles and
+All security-related operations such as CRUD operations on users and roles and
 cache clearing.
 
+`manage_token`::
+All security-related operations on tokens that are generated by the {es} Token
+Service.
+
 `manage_watcher`::
 All watcher operations, such as putting watches, executing, activate or acknowledging.
 +