diff --git a/securityconfig/roles.yml b/securityconfig/roles.yml
index cef2e8696f..764af184f4 100644
--- a/securityconfig/roles.yml
+++ b/securityconfig/roles.yml
@@ -187,3 +187,25 @@ cross_cluster_replication_follower_full_access:
         - "indices:admin/plugins/replication/index/stop"
         - "indices:admin/plugins/replication/index/update"
         - "indices:admin/plugins/replication/index/status_check"
+
+# Allow users to read ML stats/models/tasks
+ml_read_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster:admin/openserach/ml/stats'
+    - 'cluster:admin/opensearch/ml/models/get'
+    - 'cluster:admin/opensearch/ml/models/search'
+    - 'cluster:admin/opensearch/ml/tasks/get'
+    - 'cluster:admin/opensearch/ml/tasks/search'
+
+# Allows users to use all ML functionality
+ml_full_access:
+  reserved: true
+  cluster_permissions:
+    - 'cluster_monitor'
+    - 'cluster:admin/opensearch/ml/*'
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'indices_monitor'
diff --git a/tools/install_demo_configuration.sh b/tools/install_demo_configuration.sh
index 79e6313aec..88578537de 100755
--- a/tools/install_demo_configuration.sh
+++ b/tools/install_demo_configuration.sh
@@ -373,7 +373,7 @@ echo "plugins.security.enable_snapshot_restore_privilege: true" | $SUDO_CMD tee
 echo "plugins.security.check_snapshot_restore_write_privileges: true" | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 echo 'plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 echo 'plugins.security.system_indices.enabled: true' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
-echo 'plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
+echo 'plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]' | $SUDO_CMD tee -a "$OPENSEARCH_CONF_FILE" > /dev/null
 
 #network.host
 if $SUDO_CMD grep --quiet -i "^network.host" "$OPENSEARCH_CONF_FILE"; then