diff --git a/acl/policy.go b/acl/policy.go
index eba1204f2..b6efaa642 100644
--- a/acl/policy.go
+++ b/acl/policy.go
@@ -28,6 +28,8 @@ const (
 	NamespaceCapabilityDispatchJob      = "dispatch-job"
 	NamespaceCapabilityReadLogs         = "read-logs"
 	NamespaceCapabilityReadFS           = "read-fs"
+	NamespaceCapabilityAllocExec        = "alloc-exec"
+	NamespaceCapabilityAllocNodeExec    = "alloc-node-exec"
 	NamespaceCapabilityAllocLifecycle   = "alloc-lifecycle"
 	NamespaceCapabilitySentinelOverride = "sentinel-override"
 )
@@ -94,7 +96,8 @@ func isNamespaceCapabilityValid(cap string) bool {
 	switch cap {
 	case NamespaceCapabilityDeny, NamespaceCapabilityListJobs, NamespaceCapabilityReadJob,
 		NamespaceCapabilitySubmitJob, NamespaceCapabilityDispatchJob, NamespaceCapabilityReadLogs,
-		NamespaceCapabilityReadFS, NamespaceCapabilityAllocLifecycle:
+		NamespaceCapabilityReadFS, NamespaceCapabilityAllocLifecycle,
+		NamespaceCapabilityAllocExec, NamespaceCapabilityAllocNodeExec:
 		return true
 	// Separate the enterprise-only capabilities
 	case NamespaceCapabilitySentinelOverride:
@@ -123,6 +126,7 @@ func expandNamespacePolicy(policy string) []string {
 			NamespaceCapabilityDispatchJob,
 			NamespaceCapabilityReadLogs,
 			NamespaceCapabilityReadFS,
+			NamespaceCapabilityAllocExec,
 			NamespaceCapabilityAllocLifecycle,
 		}
 	default:
diff --git a/acl/policy_test.go b/acl/policy_test.go
index 3385370aa..4665d0d45 100644
--- a/acl/policy_test.go
+++ b/acl/policy_test.go
@@ -80,6 +80,7 @@ func TestParse(t *testing.T) {
 							NamespaceCapabilityDispatchJob,
 							NamespaceCapabilityReadLogs,
 							NamespaceCapabilityReadFS,
+							NamespaceCapabilityAllocExec,
 							NamespaceCapabilityAllocLifecycle,
 						},
 					},