diff --git a/CHANGELOG.md b/CHANGELOG.md
index f0df16505..be8bf6a24 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -70,6 +70,7 @@ inputs = {
 
 ### Changes
 
+- Fix handling of empty `except` attributes in `elasticstack_elasticsearch_security_role` ([#1581](https://github.com/elastic/terraform-provider-elasticstack/pull/1581))
 - Fix the enabled property being ignored in `elasticstack_kibana_alerting_rule` ([#1527](https://github.com/elastic/terraform-provider-elasticstack/pull/1527))
 - Add `advanced_monitoring_options` to `elasticstack_fleet_agent_policy` to configure HTTP monitoring endpoint and diagnostics settings ([#1537](https://github.com/elastic/terraform-provider-elasticstack/pull/1537))
 - Move the `input` block to an `inputs` map in `elasticstack_fleet_integration_policy` ([#1482](https://github.com/elastic/terraform-provider-elasticstack/pull/1482))
diff --git a/internal/elasticsearch/security/role/models.go b/internal/elasticsearch/security/role/models.go
index 28f06e294..16c7f29b8 100644
--- a/internal/elasticsearch/security/role/models.go
+++ b/internal/elasticsearch/security/role/models.go
@@ -354,13 +354,13 @@ func (data *RoleData) fromAPIModel(ctx context.Context, role *models.Role) diag.
 
 			var fieldSecObj types.Object
 			if index.FieldSecurity != nil {
-				grantSet, d := types.SetValueFrom(ctx, types.StringType, index.FieldSecurity.Grant)
+				grantSet, d := types.SetValueFrom(ctx, types.StringType, utils.NonNilSlice(index.FieldSecurity.Grant))
 				diags.Append(d...)
 				if diags.HasError() {
 					return diags
 				}
 
-				exceptSet, d := types.SetValueFrom(ctx, types.StringType, index.FieldSecurity.Except)
+				exceptSet, d := types.SetValueFrom(ctx, types.StringType, utils.NonNilSlice(index.FieldSecurity.Except))
 				diags.Append(d...)
 				if diags.HasError() {
 					return diags
diff --git a/internal/elasticsearch/security/role/testdata/TestAccResourceSecurityRoleEmptySets/create/main.tf b/internal/elasticsearch/security/role/testdata/TestAccResourceSecurityRoleEmptySets/create/main.tf
index 022253f72..5fa3f7e53 100644
--- a/internal/elasticsearch/security/role/testdata/TestAccResourceSecurityRoleEmptySets/create/main.tf
+++ b/internal/elasticsearch/security/role/testdata/TestAccResourceSecurityRoleEmptySets/create/main.tf
@@ -10,7 +10,8 @@ resource "elasticstack_elasticsearch_security_role" "test" {
     names      = ["index1", "index2"]
     privileges = ["all"]
     field_security {
-      grant = ["*"]
+      grant  = ["*"]
+      except = []
     }
   }