diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go
index 9a1eaba6c..a37bbf101 100644
--- a/agent/consul/acl_test.go
+++ b/agent/consul/acl_test.go
@@ -847,6 +847,66 @@ node "node1" {
 	}
 }
 
+func TestACL_filterIntentions(t *testing.T) {
+	t.Parallel()
+	fill := func() structs.Intentions {
+		return structs.Intentions{
+			&structs.Intention{
+				ID:              "f004177f-2c28-83b7-4229-eacc25fe55d1",
+				DestinationName: "bar",
+			},
+			&structs.Intention{
+				ID:              "f004177f-2c28-83b7-4229-eacc25fe55d2",
+				DestinationName: "foo",
+			},
+		}
+	}
+
+	// Try permissive filtering.
+	{
+		ixns := fill()
+		filt := newACLFilter(acl.AllowAll(), nil, false)
+		filt.filterIntentions(&ixns)
+		if len(ixns) != 2 {
+			t.Fatalf("bad: %#v", ixns)
+		}
+	}
+
+	// Try restrictive filtering.
+	{
+		ixns := fill()
+		filt := newACLFilter(acl.DenyAll(), nil, false)
+		filt.filterIntentions(&ixns)
+		if len(ixns) != 0 {
+			t.Fatalf("bad: %#v", ixns)
+		}
+	}
+
+	// Policy to see one
+	policy, err := acl.Parse(`
+service "foo" {
+  policy = "read"
+}
+`, nil)
+	if err != nil {
+		t.Fatalf("err %v", err)
+	}
+	perms, err := acl.New(acl.DenyAll(), policy, nil)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Filter
+	{
+		ixns := fill()
+		filt := newACLFilter(perms, nil, false)
+		filt.filterIntentions(&ixns)
+		if len(ixns) != 1 {
+			t.Fatalf("bad: %#v", ixns)
+		}
+	}
+}
+
 func TestACL_filterServices(t *testing.T) {
 	t.Parallel()
 	// Create some services
diff --git a/agent/structs/intention_test.go b/agent/structs/intention_test.go
index 9db4ff255..948ae920e 100644
--- a/agent/structs/intention_test.go
+++ b/agent/structs/intention_test.go
@@ -8,6 +8,43 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+func TestIntentionGetACLPrefix(t *testing.T) {
+	cases := []struct {
+		Name     string
+		Input    *Intention
+		Expected string
+	}{
+		{
+			"unset name",
+			&Intention{DestinationName: ""},
+			"",
+		},
+
+		{
+			"set name",
+			&Intention{DestinationName: "fo"},
+			"fo",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.Name, func(t *testing.T) {
+			actual, ok := tc.Input.GetACLPrefix()
+			if tc.Expected == "" {
+				if !ok {
+					return
+				}
+
+				t.Fatal("should not be ok")
+			}
+
+			if actual != tc.Expected {
+				t.Fatalf("bad: %q", actual)
+			}
+		})
+	}
+}
+
 func TestIntentionValidate(t *testing.T) {
 	cases := []struct {
 		Name   string