diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiAction.java
index 34c08b726f..f71135ce50 100644
--- a/src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiAction.java
+++ b/src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiAction.java
@@ -86,10 +86,8 @@ boolean accessHandler(final RestRequest request) {
         switch (request.method()) {
             case PATCH:
             case PUT:
-                if (!allowPutOrPatch && !restApiAdminEnabled) {
-                    return false;
-                } else if (allowPutOrPatch && !restApiAdminEnabled) {
-                    return true;
+                if (!restApiAdminEnabled) {
+                    return allowPutOrPatch;
                 } else {
                     return securityApiDependencies.restApiAdminPrivilegesEvaluator()
                         .isCurrentUserAdminFor(endpoint, SECURITY_CONFIG_UPDATE);
diff --git a/src/test/java/org/opensearch/security/securityconf/SecurityRolesPermissionsTest.java b/src/test/java/org/opensearch/security/securityconf/SecurityRolesPermissionsTest.java
index b722fd64d7..9d104381a6 100644
--- a/src/test/java/org/opensearch/security/securityconf/SecurityRolesPermissionsTest.java
+++ b/src/test/java/org/opensearch/security/securityconf/SecurityRolesPermissionsTest.java
@@ -183,7 +183,7 @@ public void hasExplicitClusterPermissionPermissionForRestAdminWitFullAccess() {
 
     @Test
     public void hasExplicitClusterPermissionPermissionForRestAdmin() {
-        // verify all endpoint except SSL
+        // verify all endpoint except SSL and verify CONFIG endpoints
         final Collection<Endpoint> noSslEndpoints = ENDPOINTS_WITH_PERMISSIONS.keySet()
             .stream()
             .filter(e -> e != Endpoint.SSL && e != Endpoint.CONFIG)