diff --git a/agent/consul/acl.go b/agent/consul/acl.go
index c5bf1aa96..18eae6390 100644
--- a/agent/consul/acl.go
+++ b/agent/consul/acl.go
@@ -292,7 +292,10 @@ func agentMasterAuthorizer(nodeName string, entMeta *structs.EnterpriseMeta) (ac
 			},
 		},
 	}
-	return acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
+
+	var cfg *acl.Config
+	setEnterpriseConf(entMeta, cfg)
+	return acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, cfg)
 }
 
 func NewACLResolver(config *ACLResolverConfig) (*ACLResolver, error) {
@@ -1094,7 +1097,7 @@ func (r *ACLResolver) ResolveTokenToIdentityAndAuthorizer(token string) (structs
 	if r.aclConf != nil {
 		conf = *r.aclConf
 	}
-	r.setEnterpriseConf(identity, &conf)
+	setEnterpriseConf(identity.EnterpriseMetadata(), &conf)
 
 	authz, err := policies.Compile(r.cache, &conf)
 	if err != nil {
diff --git a/agent/consul/acl_oss.go b/agent/consul/acl_oss.go
index 7c37023a5..5be3b3fb1 100644
--- a/agent/consul/acl_oss.go
+++ b/agent/consul/acl_oss.go
@@ -46,4 +46,4 @@ func (_ *ACLResolver) resolveLocallyManagedEnterpriseToken(_ string) (structs.AC
 	return nil, nil, false
 }
 
-func (_ *ACLResolver) setEnterpriseConf(identity structs.ACLIdentity, conf *acl.Config) {}
+func setEnterpriseConf(entMeta *structs.EnterpriseMeta, conf *acl.Config) {}