diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java
index 27353ea8e..23f1333a9 100644
--- a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java
+++ b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java
@@ -333,7 +333,7 @@ private boolean permissionContains(UserPermission.View permission,
             .stream()
             .anyMatch(view -> view.getName().equalsIgnoreCase(resourceName));
       case BUILD_SERVICE:
-        return containsAuth.apply(permission.getBuildServices());
+        return permission.isLegacyFallback() || containsAuth.apply(permission.getBuildServices());
       default:
         return false;
     }
diff --git a/fiat-core/src/main/java/com/netflix/spinnaker/fiat/model/Authorization.java b/fiat-core/src/main/java/com/netflix/spinnaker/fiat/model/Authorization.java
index 08224b875..60dc2869a 100644
--- a/fiat-core/src/main/java/com/netflix/spinnaker/fiat/model/Authorization.java
+++ b/fiat-core/src/main/java/com/netflix/spinnaker/fiat/model/Authorization.java
@@ -23,7 +23,8 @@
 
 public enum Authorization {
   READ,
-  WRITE;
+  WRITE,
+  EXECUTE;
 
   public static Set<Authorization> ALL = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(values())));
 }
diff --git a/fiat-core/src/main/java/com/netflix/spinnaker/fiat/model/resources/Permissions.java b/fiat-core/src/main/java/com/netflix/spinnaker/fiat/model/resources/Permissions.java
index 373cf0d34..c51700871 100644
--- a/fiat-core/src/main/java/com/netflix/spinnaker/fiat/model/resources/Permissions.java
+++ b/fiat-core/src/main/java/com/netflix/spinnaker/fiat/model/resources/Permissions.java
@@ -95,8 +95,7 @@ public Set<Authorization> getAuthorizations(List<String> userRoles) {
                .collect(Collectors.toSet());
   }
 
-  //VisibleForTesting
-  protected List<String> get(Authorization a) {
+  public List<String> get(Authorization a) {
     return permissions.get(a);
   }
 
diff --git a/fiat-core/src/test/groovy/com/netflix/spinnaker/fiat/model/resources/PermissionsSpec.groovy b/fiat-core/src/test/groovy/com/netflix/spinnaker/fiat/model/resources/PermissionsSpec.groovy
index c0a769133..93805f7f0 100644
--- a/fiat-core/src/test/groovy/com/netflix/spinnaker/fiat/model/resources/PermissionsSpec.groovy
+++ b/fiat-core/src/test/groovy/com/netflix/spinnaker/fiat/model/resources/PermissionsSpec.groovy
@@ -32,6 +32,7 @@ class PermissionsSpec extends Specification {
 
   private static final Authorization R = Authorization.READ
   private static final Authorization W = Authorization.WRITE
+  private static final Authorization E = Authorization.EXECUTE
 
   @Autowired
   TestConfigProps testConfigProps
@@ -152,7 +153,7 @@ class PermissionsSpec extends Specification {
     Permissions p = new Permissions.Builder().build()
 
     expect:
-    p.getAuthorizations([]) == [R, W] as Set
+    p.getAuthorizations([]) == [R, W, E] as Set
 
     when:
     p = Permissions.factory([(R): ["bar"], (W): ["bar"]])