diff --git a/x-pack/plugins/fleet/server/services/package_policies_to_agent_permissions.test.ts b/x-pack/plugins/fleet/server/services/package_policies_to_agent_permissions.test.ts
new file mode 100644
index 000000000000000..17ed604e7ab80db
--- /dev/null
+++ b/x-pack/plugins/fleet/server/services/package_policies_to_agent_permissions.test.ts
@@ -0,0 +1,231 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+jest.mock('./epm/packages');
+import type { SavedObjectsClientContract } from 'kibana/server';
+
+import { savedObjectsClientMock } from '../../../../../src/core/server/mocks';
+import type { PackagePolicy, RegistryDataStream } from '../types';
+
+import { getPackageInfo } from './epm/packages';
+import {
+  getDataStreamPermissions,
+  storedPackagePoliciesToAgentPermissions,
+} from './package_policies_to_agent_permissions';
+
+const getPackageInfoMock = getPackageInfo as jest.MockedFunction<typeof getPackageInfo>;
+
+describe('storedPackagePoliciesToAgentPermissions()', () => {
+  let soClient: jest.Mocked<SavedObjectsClientContract>;
+  beforeEach(() => {
+    soClient = savedObjectsClientMock.create();
+  });
+
+  it('Returns `undefined` if there are no package policies', async () => {
+    const permissions = await storedPackagePoliciesToAgentPermissions(soClient, []);
+    expect(permissions).toBeUndefined();
+  });
+
+  it('Returns the default permissions for string package policies', async () => {
+    const permissions = await storedPackagePoliciesToAgentPermissions(soClient, ['foo']);
+    expect(permissions).toMatchObject({
+      _fallback: {
+        cluster: ['monitor'],
+        indices: [
+          {
+            names: [
+              'logs-*',
+              'metrics-*',
+              'traces-*',
+              'synthetics-*',
+              '.logs-endpoint.diagnostic.collection-*',
+            ],
+            privileges: ['auto_configure', 'create_doc'],
+          },
+        ],
+      },
+    });
+  });
+
+  it('Returns the default permissions if a package policy does not have a package', async () => {
+    const permissions = await storedPackagePoliciesToAgentPermissions(soClient, [
+      { name: 'foo', package: undefined } as PackagePolicy,
+    ]);
+
+    expect(permissions).toMatchObject({
+      foo: {
+        cluster: ['monitor'],
+        indices: [
+          {
+            names: [
+              'logs-*',
+              'metrics-*',
+              'traces-*',
+              'synthetics-*',
+              '.logs-endpoint.diagnostic.collection-*',
+            ],
+            privileges: ['auto_configure', 'create_doc'],
+          },
+        ],
+      },
+    });
+  });
+
+  it('Returns the permissions for the enabled inputs', async () => {
+    getPackageInfoMock.mockResolvedValueOnce({
+      name: 'test-package',
+      version: '0.0.0',
+      latestVersion: '0.0.0',
+      release: 'experimental',
+      format_version: '1.0.0',
+      title: 'Test Package',
+      description: '',
+      icons: [],
+      owner: { github: '' },
+      status: 'not_installed',
+      assets: {
+        kibana: {
+          dashboard: [],
+          visualization: [],
+          search: [],
+          index_pattern: [],
+          map: [],
+          lens: [],
+          security_rule: [],
+          ml_module: [],
+        },
+        elasticsearch: {
+          component_template: [],
+          ingest_pipeline: [],
+          ilm_policy: [],
+          transform: [],
+          index_template: [],
+          data_stream_ilm_policy: [],
+        },
+      },
+      data_streams: [
+        {
+          type: 'logs',
+          dataset: 'some-logs',
+          title: '',
+          release: '',
+          package: 'test-package',
+          path: '',
+          ingest_pipeline: '',
+          streams: [{ input: 'test-logs', title: 'Test Logs', template_path: '' }],
+        },
+        {
+          type: 'metrics',
+          dataset: 'some-metrics',
+          title: '',
+          release: '',
+          package: 'test-package',
+          path: '',
+          ingest_pipeline: '',
+          streams: [{ input: 'test-metrics', title: 'Test Logs', template_path: '' }],
+        },
+      ],
+    });
+
+    const packagePolicies: PackagePolicy[] = [
+      {
+        id: '12345',
+        name: 'test-policy',
+        namespace: 'test',
+        enabled: true,
+        package: { name: 'test-package', version: '0.0.0', title: 'Test Package' },
+        inputs: [
+          { type: 'test-logs', enabled: true, streams: [] },
+          { type: 'test-metrics', enabled: false, streams: [] },
+        ],
+        created_at: '',
+        updated_at: '',
+        created_by: '',
+        updated_by: '',
+        revision: 1,
+        policy_id: '',
+        output_id: '',
+      },
+    ];
+
+    const permissions = await storedPackagePoliciesToAgentPermissions(soClient, packagePolicies);
+    expect(permissions).toMatchObject({
+      'test-policy': {
+        indices: [
+          {
+            names: ['logs-some-logs-test'],
+            privileges: ['auto_configure', 'create_doc'],
+          },
+        ],
+      },
+    });
+  });
+});
+
+describe('getDataStreamPermissions()', () => {
+  it('returns defaults for a datastream with no permissions', () => {
+    const dataStream = { type: 'logs', dataset: 'test' } as RegistryDataStream;
+    const permissions = getDataStreamPermissions(dataStream);
+
+    expect(permissions).toMatchObject({
+      names: ['logs-test-*'],
+      privileges: ['auto_configure', 'create_doc'],
+    });
+  });
+
+  it('adds the namespace to the index name', () => {
+    const dataStream = { type: 'logs', dataset: 'test' } as RegistryDataStream;
+    const permissions = getDataStreamPermissions(dataStream, 'namespace');
+
+    expect(permissions).toMatchObject({
+      names: ['logs-test-namespace'],
+      privileges: ['auto_configure', 'create_doc'],
+    });
+  });
+
+  it('appends a wildcard if dataset is prefix', () => {
+    const dataStream = {
+      type: 'logs',
+      dataset: 'test',
+      dataset_is_prefix: true,
+    } as RegistryDataStream;
+    const permissions = getDataStreamPermissions(dataStream, 'namespace');
+
+    expect(permissions).toMatchObject({
+      names: ['logs-test-namespace-*'],
+      privileges: ['auto_configure', 'create_doc'],
+    });
+  });
+
+  it('prepends a dot if datastream is hidden', () => {
+    const dataStream = {
+      type: 'logs',
+      dataset: 'test',
+      hidden: true,
+    } as RegistryDataStream;
+    const permissions = getDataStreamPermissions(dataStream, 'namespace');
+
+    expect(permissions).toMatchObject({
+      names: ['.logs-test-namespace'],
+      privileges: ['auto_configure', 'create_doc'],
+    });
+  });
+
+  it('uses custom permissions if they are present in the datastream', () => {
+    const dataStream = {
+      type: 'logs',
+      dataset: 'test',
+      permissions: { indices: ['read', 'write'] },
+    } as RegistryDataStream;
+    const permissions = getDataStreamPermissions(dataStream, 'namespace');
+
+    expect(permissions).toMatchObject({
+      names: ['logs-test-namespace'],
+      privileges: ['read', 'write'],
+    });
+  });
+});