diff --git a/acl/acl.go b/acl/acl.go
index 87295aa00..9538a18e5 100644
--- a/acl/acl.go
+++ b/acl/acl.go
@@ -14,6 +14,11 @@ type Config struct {
 	EnterpriseConfig
 }
 
+type PartitionExportInfo interface {
+	// DownstreamPartitions returns the list of partitions the given service has been exported to.
+	DownstreamPartitions(service string, ctx *AuthorizerContext) []string
+}
+
 // GetWildcardName will retrieve the configured wildcard name or provide a default
 // in the case that the config is Nil or the wildcard name is unset.
 func (c *Config) GetWildcardName() string {
diff --git a/agent/consul/acl.go b/agent/consul/acl.go
index 73a181bec..095ec8eba 100644
--- a/agent/consul/acl.go
+++ b/agent/consul/acl.go
@@ -1094,7 +1094,7 @@ func (r *ACLResolver) ResolveTokenToIdentityAndAuthorizer(token string) (structs
 	if r.aclConf != nil {
 		conf = *r.aclConf
 	}
-	conf.LocalPartition = identity.EnterpriseMetadata().PartitionOrDefault()
+	r.setEnterpriseConf(identity, &conf)
 
 	authz, err := policies.Compile(r.cache, &conf)
 	if err != nil {
@@ -1900,3 +1900,9 @@ func filterACL(r *ACLResolver, token string, subj interface{}) error {
 	filterACLWithAuthorizer(r.logger, authorizer, subj)
 	return nil
 }
+
+type partitionInfoNoop struct{}
+
+func (p *partitionInfoNoop) DownstreamPartitions(service string, ctx *acl.AuthorizerContext) []string {
+	return []string{}
+}
diff --git a/agent/consul/acl_oss.go b/agent/consul/acl_oss.go
index 8b0417b41..7c37023a5 100644
--- a/agent/consul/acl_oss.go
+++ b/agent/consul/acl_oss.go
@@ -15,7 +15,11 @@ func (s *Server) replicationEnterpriseMeta() *structs.EnterpriseMeta {
 	return structs.ReplicationEnterpriseMeta()
 }
 
-func newACLConfig(hclog.Logger) *acl.Config {
+func serverPartitionInfo(s *Server) acl.PartitionExportInfo {
+	return &partitionInfoNoop{}
+}
+
+func newACLConfig(_ acl.PartitionExportInfo, hclog.Logger) *acl.Config {
 	return &acl.Config{
 		WildcardName: structs.WildcardSpecifier,
 	}
@@ -41,3 +45,5 @@ func (_ *ACLResolver) resolveEnterpriseIdentityAndPolicies(_ structs.ACLIdentity
 func (_ *ACLResolver) resolveLocallyManagedEnterpriseToken(_ string) (structs.ACLIdentity, acl.Authorizer, bool) {
 	return nil, nil, false
 }
+
+func (_ *ACLResolver) setEnterpriseConf(identity structs.ACLIdentity, conf *acl.Config) {}
diff --git a/agent/consul/client.go b/agent/consul/client.go
index a2abc7fb7..031308e19 100644
--- a/agent/consul/client.go
+++ b/agent/consul/client.go
@@ -123,7 +123,7 @@ func NewClient(config *Config, deps Deps) (*Client, error) {
 		Logger:          c.logger,
 		DisableDuration: aclClientDisabledTTL,
 		CacheConfig:     clientACLCacheConfig,
-		ACLConfig:       newACLConfig(c.logger),
+		ACLConfig:       newACLConfig(&partitionInfoNoop{}, c.logger),
 		Tokens:          deps.Tokens,
 	}
 	var err error
diff --git a/agent/consul/server.go b/agent/consul/server.go
index 5069e4d80..969785a23 100644
--- a/agent/consul/server.go
+++ b/agent/consul/server.go
@@ -427,7 +427,8 @@ func NewServer(config *Config, flat Deps) (*Server, error) {
 	// Initialize the stats fetcher that autopilot will use.
 	s.statsFetcher = NewStatsFetcher(logger, s.connPool, s.config.Datacenter)
 
-	s.aclConfig = newACLConfig(logger)
+	partitionInfo := serverPartitionInfo(s)
+	s.aclConfig = newACLConfig(partitionInfo, logger)
 	aclConfig := ACLResolverConfig{
 		Config:      config.ACLResolverSettings,
 		Delegate:    s,