diff --git a/.changelog/11672.txt b/.changelog/11672.txt
new file mode 100644
index 00000000000..07c9c6e8308
--- /dev/null
+++ b/.changelog/11672.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fix the ACL requirements for displaying the job details page
+```
diff --git a/ui/app/abilities/client.js b/ui/app/abilities/client.js
index 350200dc81a..f48eeb93e4d 100644
--- a/ui/app/abilities/client.js
+++ b/ui/app/abilities/client.js
@@ -7,18 +7,30 @@ import classic from 'ember-classic-decorator';
 export default class Client extends AbstractAbility {
   // Map abilities to policy options (which are coarse for nodes)
   // instead of specific behaviors.
+  @or('bypassAuthorization', 'selfTokenIsManagement', 'policiesIncludeNodeRead')
+  canRead;
+
   @or('bypassAuthorization', 'selfTokenIsManagement', 'policiesIncludeNodeWrite')
   canWrite;
 
   @computed('token.selfTokenPolicies.[]')
-  get policiesIncludeNodeWrite() {
-    // For each policy record, extract the Node policy
-    const policies = (this.get('token.selfTokenPolicies') || [])
-      .toArray()
-      .map(policy => get(policy, 'rulesJSON.Node.Policy'))
-      .compact();
+  get policiesIncludeNodeRead() {
+    return policiesIncludePermissions(this.get('token.selfTokenPolicies'), ['read', 'write']);
+  }
 
-    // Node write is allowed if any policy allows it
-    return policies.some(policy => policy === 'write');
+  @computed('token.selfTokenPolicies.[]')
+  get policiesIncludeNodeWrite() {
+    return policiesIncludePermissions(this.get('token.selfTokenPolicies'), ['write']);
   }
 }
+
+function policiesIncludePermissions(policies = [], permissions = []) {
+  // For each policy record, extract the Node policy
+  const nodePolicies = policies
+    .toArray()
+    .map(policy => get(policy, 'rulesJSON.Node.Policy'))
+    .compact();
+
+  // Check for requested permissions
+  return nodePolicies.some(policy => permissions.includes(policy));
+}
diff --git a/ui/app/components/job-page/abstract.js b/ui/app/components/job-page/abstract.js
index 29beaa6aa12..4239f844fce 100644
--- a/ui/app/components/job-page/abstract.js
+++ b/ui/app/components/job-page/abstract.js
@@ -5,6 +5,7 @@ import classic from 'ember-classic-decorator';
 
 @classic
 export default class Abstract extends Component {
+  @service can;
   @service system;
 
   job = null;
@@ -20,6 +21,10 @@ export default class Abstract extends Component {
   // Set to a { title, description } to surface an error
   errorMessage = null;
 
+  get shouldDisplayClientInformation() {
+    return this.can.can('read client') && this.job.hasClientStatus;
+  }
+
   @action
   clearErrorMessage() {
     this.set('errorMessage', null);
diff --git a/ui/app/components/job-page/parameterized-child.js b/ui/app/components/job-page/parameterized-child.js
index daf0e418340..3f941067c06 100644
--- a/ui/app/components/job-page/parameterized-child.js
+++ b/ui/app/components/job-page/parameterized-child.js
@@ -1,14 +1,11 @@
 import { computed } from '@ember/object';
 import { alias } from '@ember/object/computed';
-import { inject as service } from '@ember/service';
 import PeriodicChildJobPage from './periodic-child';
 import classic from 'ember-classic-decorator';
-import jobClientStatus from 'nomad-ui/utils/properties/job-client-status';
 
 @classic
 export default class ParameterizedChild extends PeriodicChildJobPage {
   @alias('job.decodedPayload') payload;
-  @service store;
 
   @computed('payload')
   get payloadJSON() {
@@ -20,10 +17,4 @@ export default class ParameterizedChild extends PeriodicChildJobPage {
     }
     return json;
   }
-
-  @jobClientStatus('nodes', 'job') jobClientStatus;
-
-  get nodes() {
-    return this.store.peekAll('node');
-  }
 }
diff --git a/ui/app/components/job-page/parts/job-client-status-summary.js b/ui/app/components/job-page/parts/job-client-status-summary.js
index 15ac0c45922..515f085688e 100644
--- a/ui/app/components/job-page/parts/job-client-status-summary.js
+++ b/ui/app/components/job-page/parts/job-client-status-summary.js
@@ -2,20 +2,26 @@ import Component from '@ember/component';
 import { action, computed } from '@ember/object';
 import { classNames } from '@ember-decorators/component';
 import classic from 'ember-classic-decorator';
+import jobClientStatus from 'nomad-ui/utils/properties/job-client-status';
 
 @classic
 @classNames('boxed-section')
 export default class JobClientStatusSummary extends Component {
   job = null;
-  jobClientStatus = null;
+  nodes = null;
+  forceCollapsed = false;
   gotoClients() {}
 
-  @computed
+  @computed('forceCollapsed')
   get isExpanded() {
+    if (this.forceCollapsed) return false;
+
     const storageValue = window.localStorage.nomadExpandJobClientStatusSummary;
     return storageValue != null ? JSON.parse(storageValue) : true;
   }
 
+  @jobClientStatus('nodes', 'job') jobClientStatus;
+
   @action
   onSliceClick(ev, slice) {
     this.gotoClients([slice.className.camelize()]);
diff --git a/ui/app/components/job-page/periodic-child.js b/ui/app/components/job-page/periodic-child.js
index d581d88dc29..dfe42225dc3 100644
--- a/ui/app/components/job-page/periodic-child.js
+++ b/ui/app/components/job-page/periodic-child.js
@@ -1,13 +1,9 @@
 import AbstractJobPage from './abstract';
 import { computed } from '@ember/object';
-import { inject as service } from '@ember/service';
 import classic from 'ember-classic-decorator';
-import jobClientStatus from 'nomad-ui/utils/properties/job-client-status';
 
 @classic
 export default class PeriodicChild extends AbstractJobPage {
-  @service store;
-
   @computed('job.{name,id}', 'job.parent.{name,id}')
   get breadcrumbs() {
     const job = this.job;
@@ -25,10 +21,4 @@ export default class PeriodicChild extends AbstractJobPage {
       },
     ];
   }
-
-  @jobClientStatus('nodes', 'job') jobClientStatus;
-
-  get nodes() {
-    return this.store.peekAll('node');
-  }
 }
diff --git a/ui/app/components/job-page/sysbatch.js b/ui/app/components/job-page/sysbatch.js
index 0819ed49426..abdbdfdf3df 100644
--- a/ui/app/components/job-page/sysbatch.js
+++ b/ui/app/components/job-page/sysbatch.js
@@ -1,15 +1,5 @@
 import AbstractJobPage from './abstract';
 import classic from 'ember-classic-decorator';
-import { inject as service } from '@ember/service';
-import jobClientStatus from 'nomad-ui/utils/properties/job-client-status';
 
 @classic
-export default class Sysbatch extends AbstractJobPage {
-  @service store;
-
-  @jobClientStatus('nodes', 'job') jobClientStatus;
-
-  get nodes() {
-    return this.store.peekAll('node');
-  }
-}
+export default class Sysbatch extends AbstractJobPage {}
diff --git a/ui/app/components/job-page/system.js b/ui/app/components/job-page/system.js
index 5909c8f163d..bf2c0444246 100644
--- a/ui/app/components/job-page/system.js
+++ b/ui/app/components/job-page/system.js
@@ -1,15 +1,5 @@
 import AbstractJobPage from './abstract';
 import classic from 'ember-classic-decorator';
-import { inject as service } from '@ember/service';
-import jobClientStatus from 'nomad-ui/utils/properties/job-client-status';
 
 @classic
-export default class System extends AbstractJobPage {
-  @service store;
-
-  @jobClientStatus('nodes', 'job') jobClientStatus;
-
-  get nodes() {
-    return this.store.peekAll('node');
-  }
-}
+export default class System extends AbstractJobPage {}
diff --git a/ui/app/components/list-accordion/accordion-head.js b/ui/app/components/list-accordion/accordion-head.js
index 320092634b1..6ef4f9f2a67 100644
--- a/ui/app/components/list-accordion/accordion-head.js
+++ b/ui/app/components/list-accordion/accordion-head.js
@@ -9,8 +9,10 @@ export default class AccordionHead extends Component {
   'data-test-accordion-head' = true;
 
   buttonLabel = 'toggle';
+  tooltip = '';
   isOpen = false;
   isExpandable = true;
+  isDisabled = false;
   item = null;
 
   onClose() {}
diff --git a/ui/app/controllers/jobs/job/index.js b/ui/app/controllers/jobs/job/index.js
index 2b663959f97..b57a44343a2 100644
--- a/ui/app/controllers/jobs/job/index.js
+++ b/ui/app/controllers/jobs/job/index.js
@@ -1,5 +1,5 @@
 import { inject as service } from '@ember/service';
-import { alias } from '@ember/object/computed';
+import { computed } from '@ember/object';
 import Controller from '@ember/controller';
 import WithNamespaceResetting from 'nomad-ui/mixins/with-namespace-resetting';
 import { action } from '@ember/object';
@@ -23,7 +23,15 @@ export default class IndexController extends Controller.extend(WithNamespaceRese
 
   currentPage = 1;
 
-  @alias('model') job;
+  @computed('model.job')
+  get job() {
+    return this.model.job;
+  }
+
+  @computed('model.nodes.[]')
+  get nodes() {
+    return this.model.nodes;
+  }
 
   sortProperty = 'name';
   sortDescending = false;
diff --git a/ui/app/models/allocation.js b/ui/app/models/allocation.js
index 028ee23bf40..79db30dd155 100644
--- a/ui/app/models/allocation.js
+++ b/ui/app/models/allocation.js
@@ -30,6 +30,16 @@ export default class Allocation extends Model {
   @fragment('resources') allocatedResources;
   @attr('number') jobVersion;
 
+  // Store basic node information returned by the API to avoid the need for
+  // node:read ACL permission.
+  @attr('string') nodeName;
+  @computed
+  get shortNodeId() {
+    return this.belongsTo('node')
+      .id()
+      .split('-')[0];
+  }
+
   @attr('number') modifyIndex;
   @attr('date') modifyTime;
 
diff --git a/ui/app/routes/jobs/job/index.js b/ui/app/routes/jobs/job/index.js
index 463edee0101..b085ca744f5 100644
--- a/ui/app/routes/jobs/job/index.js
+++ b/ui/app/routes/jobs/job/index.js
@@ -1,4 +1,5 @@
 import Route from '@ember/routing/route';
+import { inject as service } from '@ember/service';
 import { collect } from '@ember/object/computed';
 import {
   watchRecord,
@@ -9,34 +10,49 @@ import {
 import WithWatchers from 'nomad-ui/mixins/with-watchers';
 
 export default class IndexRoute extends Route.extend(WithWatchers) {
+  @service can;
+  @service store;
+
   async model() {
-    // Optimizing future node look ups by preemptively loading everything
-    await this.store.findAll('node');
-    return this.modelFor('jobs.job');
+    const job = this.modelFor('jobs.job');
+    if (!job) {
+      return { job, nodes: [] };
+    }
+
+    // Optimizing future node look ups by preemptively loading all nodes if
+    // necessary and allowed.
+    if (this.can.can('read client') && job.get('hasClientStatus')) {
+      await this.store.findAll('node');
+    }
+    const nodes = this.store.peekAll('node');
+    return { job, nodes };
   }
 
   startWatchers(controller, model) {
-    if (!model) {
+    if (!model.job) {
       return;
     }
     controller.set('watchers', {
-      model: this.watch.perform(model),
-      summary: this.watchSummary.perform(model.get('summary')),
-      allocations: this.watchAllocations.perform(model),
-      evaluations: this.watchEvaluations.perform(model),
+      model: this.watch.perform(model.job),
+      summary: this.watchSummary.perform(model.job.get('summary')),
+      allocations: this.watchAllocations.perform(model.job),
+      evaluations: this.watchEvaluations.perform(model.job),
       latestDeployment:
-        model.get('supportsDeployments') && this.watchLatestDeployment.perform(model),
+        model.job.get('supportsDeployments') && this.watchLatestDeployment.perform(model.job),
       list:
-        model.get('hasChildren') &&
-        this.watchAllJobs.perform({ namespace: model.namespace.get('name') }),
-      nodes: model.get('hasClientStatus') && this.watchNodes.perform(),
+        model.job.get('hasChildren') &&
+        this.watchAllJobs.perform({ namespace: model.job.namespace.get('name') }),
+      nodes:
+        this.can.can('read client') &&
+        model.job.get('hasClientStatus') &&
+        this.watchNodes.perform(),
     });
   }
 
   setupController(controller, model) {
     // Parameterized and periodic detail pages, which list children jobs,
     // should sort by submit time.
-    if (model && ['periodic', 'parameterized'].includes(model.templateType)) {
+    if (model.job && ['periodic', 'parameterized'].includes(model.job.templateType)) {
       controller.setProperties({
         sortProperty: 'submitTime',
         sortDescending: true,
diff --git a/ui/app/templates/components/allocation-row.hbs b/ui/app/templates/components/allocation-row.hbs
index efa1915524c..934d69336d6 100644
--- a/ui/app/templates/components/allocation-row.hbs
+++ b/ui/app/templates/components/allocation-row.hbs
@@ -1,8 +1,10 @@
 <td data-test-indicators class="is-narrow">
-  {{#if this.allocation.unhealthyDrivers.length}}
-    <span data-test-icon="unhealthy-driver" class="tooltip text-center" role="tooltip" aria-label="Allocation depends on unhealthy drivers">
-      {{x-icon "alert-triangle" class="is-warning"}}
-    </span>
+  {{#if (can "read client")}}
+    {{#if this.allocation.unhealthyDrivers.length}}
+      <span data-test-icon="unhealthy-driver" class="tooltip text-center" role="tooltip" aria-label="Allocation depends on unhealthy drivers">
+        {{x-icon "alert-triangle" class="is-warning"}}
+      </span>
+    {{/if}}
   {{/if}}
   {{#if this.allocation.nextAllocation}}
     <span data-test-icon="reschedule" class="tooltip text-center" role="tooltip" aria-label="Allocation was rescheduled">
@@ -38,20 +40,28 @@
 </td>
 {{#if (eq this.context "volume")}}
   <td data-test-client>
-    <Tooltip @text={{this.allocation.node.name}}>
-      <LinkTo @route="clients.client" @model={{this.allocation.node}}>
-        {{this.allocation.node.shortId}}
-      </LinkTo>
+    <Tooltip @text={{this.allocation.nodeName}}>
+      {{#if (can "read client")}}
+        <LinkTo @route="clients.client" @model={{this.allocation.node}}>
+          {{this.allocation.shortNodeId}}
+        </LinkTo>
+      {{else}}
+        {{this.allocation.shortNodeId}}
+      {{/if}}
     </Tooltip>
   </td>
 {{/if}}
 {{#if (or (eq this.context "taskGroup") (eq this.context "job"))}}
   <td data-test-job-version>{{this.allocation.jobVersion}}</td>
   <td data-test-client>
-    <Tooltip @text={{this.allocation.node.name}}>
-      <LinkTo @route="clients.client" @model={{this.allocation.node}}>
-        {{this.allocation.node.shortId}}
-      </LinkTo>
+    <Tooltip @text={{this.allocation.nodeName}}>
+      {{#if (can "read client")}}
+        <LinkTo @route="clients.client" @model={{this.allocation.node}}>
+          {{this.allocation.shortNodeId}}
+        </LinkTo>
+      {{else}}
+        {{this.allocation.shortNodeId}}
+      {{/if}}
     </Tooltip>
   </td>
 {{else if (or (eq this.context "node") (eq this.context "volume"))}}
diff --git a/ui/app/templates/components/job-page/parameterized-child.hbs b/ui/app/templates/components/job-page/parameterized-child.hbs
index 83c6f1b0f97..e42afa68ab3 100644
--- a/ui/app/templates/components/job-page/parameterized-child.hbs
+++ b/ui/app/templates/components/job-page/parameterized-child.hbs
@@ -16,13 +16,13 @@
 
   {{#if this.job.hasClientStatus}}
     <JobPage::Parts::JobClientStatusSummary
-      @gotoClients={{this.gotoClients}}
       @job={{this.job}}
-      @jobClientStatus={{this.jobClientStatus}}
-    />
+      @nodes={{this.nodes}}
+      @forceCollapsed={{not this.shouldDisplayClientInformation}}
+      @gotoClients={{this.gotoClients}} />
   {{/if}}
 
-  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed={{this.job.hasClientStatus}} />
+  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed={{this.shouldDisplayClientInformation}} />
 
   <JobPage::Parts::PlacementFailures @job={{this.job}} />
 
diff --git a/ui/app/templates/components/job-page/parts/job-client-status-summary.hbs b/ui/app/templates/components/job-page/parts/job-client-status-summary.hbs
index 837a6c34a0f..09eee819a2e 100644
--- a/ui/app/templates/components/job-page/parts/job-client-status-summary.hbs
+++ b/ui/app/templates/components/job-page/parts/job-client-status-summary.hbs
@@ -1,22 +1,28 @@
 <ListAccordion
-  data-test-job-summary
+  data-test-job-client-summary
   @source={{array this.job}}
   @key="id"
   @startExpanded={{this.isExpanded}}
   @onToggle={{action this.persist}} as |a|
 >
-  <a.head @buttonLabel={{if a.isOpen "collapse" "expand"}}>
+  <a.head
+    @buttonLabel={{if a.isOpen "collapse" "expand"}}
+    @tooltip={{if (cannot "read client") "You don’t have permission to read clients"}}
+    @isDisabled={{cannot "read client"}}
+  >
     <div class="columns">
       <div class="column is-minimum nowrap">
         Job Status in Client
-        <span class="badge {{if a.isOpen "is-white" "is-light"}}">
-          {{this.jobClientStatus.totalNodes}}
-        </span>
+        {{#if this.jobClientStatus}}
+          <span class="badge {{if a.isOpen "is-white" "is-light"}}">
+            {{this.jobClientStatus.totalNodes}}
+          </span>
+        {{/if}}
         <span class="tooltip multiline" aria-label="Aggreate status of job's allocations in each client.">
           {{x-icon "info-circle-outline" class="is-faded"}}
         </span>
       </div>
-      {{#unless a.isOpen}}
+      {{#if (and this.jobClientStatus (not a.isOpen))}}
         <div class="column">
           <div class="inline-chart bumper-left">
             <JobClientStatusBar
@@ -27,29 +33,31 @@
             />
           </div>
         </div>
-      {{/unless}}
+      {{/if}}
     </div>
   </a.head>
   <a.body>
-    <JobClientStatusBar
-      @onSliceClick={{action this.onSliceClick}}
-      @job={{this.job}}
-      @jobClientStatus={{this.jobClientStatus}}
-      class="split-view" as |chart|
-    >
-      <ol data-test-legend class="legend">
-        {{#each chart.data as |datum index|}}
-          <li data-test-legent-label="{{datum.className}}" class="{{datum.className}} {{if (eq datum.label chart.activeDatum.label) "is-active"}} {{if (eq datum.value 0) "is-empty" "is-clickable"}}">
-            {{#if (gt datum.value 0)}}
-              <LinkTo @route="jobs.job.clients" @model={{this.job}} @query={{datum.legendLink.queryParams}}>
+    {{#if this.jobClientStatus}}
+      <JobClientStatusBar
+        @onSliceClick={{action this.onSliceClick}}
+        @job={{this.job}}
+        @jobClientStatus={{this.jobClientStatus}}
+        class="split-view" as |chart|
+      >
+        <ol data-test-legend class="legend">
+          {{#each chart.data as |datum index|}}
+            <li data-test-legent-label="{{datum.className}}" class="{{datum.className}} {{if (eq datum.label chart.activeDatum.label) "is-active"}} {{if (eq datum.value 0) "is-empty" "is-clickable"}}">
+              {{#if (gt datum.value 0)}}
+                <LinkTo @route="jobs.job.clients" @model={{this.job}} @query={{datum.legendLink.queryParams}}>
+                  <JobPage::Parts::SummaryLegendItem @datum={{datum}} @index={{index}} />
+                </LinkTo>
+              {{else}}
                 <JobPage::Parts::SummaryLegendItem @datum={{datum}} @index={{index}} />
-              </LinkTo>
-            {{else}}
-              <JobPage::Parts::SummaryLegendItem @datum={{datum}} @index={{index}} />
-            {{/if}}
-          </li>
-        {{/each}}
-      </ol>
-    </JobClientStatusBar>
+              {{/if}}
+            </li>
+          {{/each}}
+        </ol>
+      </JobClientStatusBar>
+    {{/if}}
   </a.body>
 </ListAccordion>
diff --git a/ui/app/templates/components/job-page/periodic-child.hbs b/ui/app/templates/components/job-page/periodic-child.hbs
index 65bcad3cc93..61ec3e17974 100644
--- a/ui/app/templates/components/job-page/periodic-child.hbs
+++ b/ui/app/templates/components/job-page/periodic-child.hbs
@@ -16,13 +16,13 @@
 
   {{#if this.job.hasClientStatus}}
     <JobPage::Parts::JobClientStatusSummary
-      @gotoClients={{this.gotoClients}}
       @job={{this.job}}
-      @jobClientStatus={{this.jobClientStatus}}
-    />
+      @nodes={{this.nodes}}
+      @forceCollapsed={{not this.shouldDisplayClientInformation}}
+      @gotoClients={{this.gotoClients}} />
   {{/if}}
 
-  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed={{this.job.hasClientStatus}} />
+  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed={{this.shouldDisplayClientInformation}} />
 
   <JobPage::Parts::PlacementFailures @job={{this.job}} />
 
diff --git a/ui/app/templates/components/job-page/sysbatch.hbs b/ui/app/templates/components/job-page/sysbatch.hbs
index c5fd40faaa3..429002bf0fb 100644
--- a/ui/app/templates/components/job-page/sysbatch.hbs
+++ b/ui/app/templates/components/job-page/sysbatch.hbs
@@ -7,10 +7,11 @@
 
   <JobPage::Parts::JobClientStatusSummary
     @job={{this.job}}
-    @jobClientStatus={{this.jobClientStatus}}
+    @nodes={{this.nodes}}
+    @forceCollapsed={{not this.shouldDisplayClientInformation}}
     @gotoClients={{this.gotoClients}} />
 
-  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed="true" />
+  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed={{this.shouldDisplayClientInformation}} />
 
   <JobPage::Parts::PlacementFailures @job={{this.job}} />
 
diff --git a/ui/app/templates/components/job-page/system.hbs b/ui/app/templates/components/job-page/system.hbs
index 76b1ad7c225..16a85e4405b 100644
--- a/ui/app/templates/components/job-page/system.hbs
+++ b/ui/app/templates/components/job-page/system.hbs
@@ -13,10 +13,11 @@
 
   <JobPage::Parts::JobClientStatusSummary
     @job={{this.job}}
-    @jobClientStatus={{this.jobClientStatus}}
+    @nodes={{this.nodes}}
+    @forceCollapsed={{not this.shouldDisplayClientInformation}}
     @gotoClients={{this.gotoClients}} />
 
-  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed="true" />
+  <JobPage::Parts::Summary @job={{this.job}} @forceCollapsed={{this.shouldDisplayClientInformation}} />
 
   <JobPage::Parts::PlacementFailures @job={{this.job}} />
 
diff --git a/ui/app/templates/components/job-subnav.hbs b/ui/app/templates/components/job-subnav.hbs
index 67d9974dbc5..eb33c641961 100644
--- a/ui/app/templates/components/job-subnav.hbs
+++ b/ui/app/templates/components/job-subnav.hbs
@@ -8,7 +8,7 @@
     {{/if}}
     <li data-test-tab="allocations"><LinkTo @route="jobs.job.allocations" @query={{hash namespace=this.job.namespace.id}} @model={{@job}} @activeClass="is-active">Allocations</LinkTo></li>
     <li data-test-tab="evaluations"><LinkTo @route="jobs.job.evaluations" @query={{hash namespace=this.job.namespace.id}} @model={{@job}} @activeClass="is-active">Evaluations</LinkTo></li>
-    {{#if (and this.job.hasClientStatus (not this.job.hasChildren))}}
+    {{#if (and (can "read client") (and this.job.hasClientStatus (not this.job.hasChildren)))}}
       <li data-test-tab="clients"><LinkTo @route="jobs.job.clients" @query={{hash namespace=this.job.namespace.id}} @model={{@job}} @activeClass="is-active">Clients</LinkTo></li>
     {{/if}}
   </ul>
diff --git a/ui/app/templates/components/list-accordion/accordion-head.hbs b/ui/app/templates/components/list-accordion/accordion-head.hbs
index 16359b72402..52e9931ddf3 100644
--- a/ui/app/templates/components/list-accordion/accordion-head.hbs
+++ b/ui/app/templates/components/list-accordion/accordion-head.hbs
@@ -3,7 +3,9 @@
 </div>
 <button
   data-test-accordion-toggle
-  class="button is-light is-compact pull-right accordion-toggle {{unless this.isExpandable "is-invisible"}}"
+  class="button is-light is-compact pull-right accordion-toggle {{unless this.isExpandable "is-invisible"}} {{if this.tooltip "tooltip multiline"}}"
+  disabled={{if this.isDisabled "disabled"}}
+  aria-label={{this.tooltip}}
   onclick={{action (if this.isOpen this.onClose this.onOpen) this.item}}
   type="button">
   {{this.buttonLabel}}
diff --git a/ui/app/templates/components/task-row.hbs b/ui/app/templates/components/task-row.hbs
index 5974051d9fc..16183646b96 100644
--- a/ui/app/templates/components/task-row.hbs
+++ b/ui/app/templates/components/task-row.hbs
@@ -1,9 +1,11 @@
 <td class="is-narrow">
-  {{#unless this.task.driverStatus.healthy}}
-    <span data-test-icon="unhealthy-driver" class="tooltip text-center" aria-label="{{this.task.driver}} is unhealthy">
-      {{x-icon "alert-triangle" class="is-warning"}}
-    </span>
-  {{/unless}}
+  {{#if (can "read client")}}
+    {{#unless this.task.driverStatus.healthy}}
+      <span data-test-icon="unhealthy-driver" class="tooltip text-center" aria-label="{{this.task.driver}} is unhealthy">
+        {{x-icon "alert-triangle" class="is-warning"}}
+      </span>
+    {{/unless}}
+  {{/if}}
 </td>
 <td data-test-name class="nowrap">
   <LinkTo @route="allocations.allocation.task" @models={{array this.task.allocation this.task}} class="is-primary">
diff --git a/ui/app/templates/jobs/job/index.hbs b/ui/app/templates/jobs/job/index.hbs
index 41834690f89..ba448b9a55c 100644
--- a/ui/app/templates/jobs/job/index.hbs
+++ b/ui/app/templates/jobs/job/index.hbs
@@ -1,6 +1,7 @@
-{{page-title "Job " this.model.name}}
-{{component (concat "job-page/" this.model.templateType)
-  job=this.model
+{{page-title "Job " this.job.name}}
+{{component (concat "job-page/" this.job.templateType)
+  job=this.job
+  nodes=this.nodes
   sortProperty=this.sortProperty
   sortDescending=this.sortDescending
   currentPage=this.currentPage
diff --git a/ui/app/utils/properties/job-client-status.js b/ui/app/utils/properties/job-client-status.js
index c6482076c06..d0e5e78fcef 100644
--- a/ui/app/utils/properties/job-client-status.js
+++ b/ui/app/utils/properties/job-client-status.js
@@ -35,7 +35,7 @@ export default function jobClientStatus(nodesKey, jobKey) {
       // Group the job allocations by the ID of the client that is running them.
       const allocsByNodeID = {};
       job.allocations.forEach(a => {
-        const nodeId = a.node.get('id');
+        const nodeId = a.belongsTo('node').id();
         if (!allocsByNodeID[nodeId]) {
           allocsByNodeID[nodeId] = [];
         }
diff --git a/ui/mirage/factories/allocation.js b/ui/mirage/factories/allocation.js
index d433340bc58..feb840ac085 100644
--- a/ui/mirage/factories/allocation.js
+++ b/ui/mirage/factories/allocation.js
@@ -175,6 +175,7 @@ export default Factory.extend({
       namespace,
       jobId: job.id,
       nodeId: node.id,
+      nodeName: node.name,
       taskStateIds: [],
       taskResourceIds: [],
       taskGroup: taskGroup.name,
diff --git a/ui/tests/acceptance/allocation-detail-test.js b/ui/tests/acceptance/allocation-detail-test.js
index f3b5c0ed2ef..d1fd9defe6e 100644
--- a/ui/tests/acceptance/allocation-detail-test.js
+++ b/ui/tests/acceptance/allocation-detail-test.js
@@ -6,6 +6,7 @@ import { setupApplicationTest } from 'ember-qunit';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import a11yAudit from 'nomad-ui/tests/helpers/a11y-audit';
 import Allocation from 'nomad-ui/tests/pages/allocations/detail';
+import Tokens from 'nomad-ui/tests/pages/settings/tokens';
 import moment from 'moment';
 import formatHost from 'nomad-ui/utils/format-host';
 
@@ -45,6 +46,8 @@ module('Acceptance | allocation detail', function(hooks) {
       driver: 'docker',
     });
 
+    window.localStorage.clear();
+
     await Allocation.visit({ id: allocation.id });
   });
 
@@ -177,6 +180,26 @@ module('Acceptance | allocation detail', function(hooks) {
   });
 
   test('tasks with an unhealthy driver have a warning icon', async function(assert) {
+    // Driver health status require node:read permission.
+    const policy = server.create('policy', {
+      id: 'node-read',
+      name: 'node-read',
+      rulesJSON: {
+        Node: {
+          Policy: 'read',
+        },
+      },
+    });
+    const clientToken = server.create('token', { type: 'client' });
+    clientToken.policyIds = [policy.id];
+    clientToken.save();
+
+    // Since the page is already visited in the beforeEach hook, setting the
+    // localStorage directly is not enough.
+    await Tokens.visit();
+    await Tokens.secret(clientToken.secretId).submit();
+    await Allocation.visit({ id: allocation.id });
+
     assert.ok(Allocation.firstUnhealthyTask().hasUnhealthyDriver, 'Warning is shown');
   });
 
@@ -271,7 +294,9 @@ module('Acceptance | allocation detail', function(hooks) {
     await Allocation.stop.confirm();
 
     assert.equal(
-      server.pretender.handledRequests.reject(request => request.url.includes('fuzzy')).findBy('method', 'POST').url,
+      server.pretender.handledRequests
+        .reject(request => request.url.includes('fuzzy'))
+        .findBy('method', 'POST').url,
       `/v1/allocation/${allocation.id}/stop`,
       'Stop request is made for the allocation'
     );
@@ -381,6 +406,7 @@ module('Acceptance | allocation detail (preemptions)', function(hooks) {
     server.create('agent');
     node = server.create('node');
     job = server.create('job', { createAllocations: false });
+    window.localStorage.clear();
   });
 
   test('shows a dedicated section to the allocation that preempted this allocation', async function(assert) {
@@ -463,6 +489,32 @@ module('Acceptance | allocation detail (preemptions)', function(hooks) {
       server.db.nodes.find(preemption.nodeId).id.split('-')[0],
       'Node ID'
     );
+  });
+
+  test('clicking the client ID in the preempted allocation row naviates to the client page', async function(assert) {
+    // Navigating to the client page requires node:read permission.
+    const policy = server.create('policy', {
+      id: 'node-read',
+      name: 'node-read',
+      rulesJSON: {
+        Node: {
+          Policy: 'read',
+        },
+      },
+    });
+    const clientToken = server.create('token', { type: 'client' });
+    clientToken.policyIds = [policy.id];
+    clientToken.save();
+    window.localStorage.nomadTokenSecret = clientToken.secretId;
+
+    allocation = server.create('allocation', 'preempter');
+    await Allocation.visit({ id: allocation.id });
+
+    const preemption = allocation.preemptedAllocations
+      .map(id => server.schema.find('allocation', id))
+      .sortBy('modifyIndex')
+      .reverse()[0];
+    const preemptionRow = Allocation.preemptions.objectAt(0);
 
     await preemptionRow.visitClient();
     assert.equal(currentURL(), `/clients/${preemption.nodeId}`, 'Node links to node page');
diff --git a/ui/tests/acceptance/task-group-detail-test.js b/ui/tests/acceptance/task-group-detail-test.js
index 9f14c3f4761..1b76705fe36 100644
--- a/ui/tests/acceptance/task-group-detail-test.js
+++ b/ui/tests/acceptance/task-group-detail-test.js
@@ -282,9 +282,30 @@ module('Acceptance | task group detail', function(hooks) {
       Object.keys(taskGroup.volumes).length ? 'Yes' : '',
       'Volumes'
     );
+  });
 
-    await allocationRow.visitClient();
+  test('clicking the client ID in the allocation row naviates to the client page', async function(assert) {
+    // Navigating to the client page requires node:read permission.
+    const policy = server.create('policy', {
+      id: 'node-read',
+      name: 'node-read',
+      rulesJSON: {
+        Node: {
+          Policy: 'read',
+        },
+      },
+    });
+    const clientToken = server.create('token', { type: 'client' });
+    clientToken.policyIds = [policy.id];
+    clientToken.save();
+    window.localStorage.nomadTokenSecret = clientToken.secretId;
+
+    await TaskGroup.visit({ id: job.id, name: taskGroup.name });
 
+    const allocation = allocations.sortBy('modifyIndex').reverse()[0];
+    const allocationRow = TaskGroup.allocations.objectAt(0);
+
+    await allocationRow.visitClient();
     assert.equal(currentURL(), `/clients/${allocation.nodeId}`, 'Node links to node page');
   });
 
diff --git a/ui/tests/helpers/module-for-job.js b/ui/tests/helpers/module-for-job.js
index d631a374ca7..50ce97eee7a 100644
--- a/ui/tests/helpers/module-for-job.js
+++ b/ui/tests/helpers/module-for-job.js
@@ -3,6 +3,7 @@ import { module, test } from 'qunit';
 import { setupApplicationTest } from 'ember-qunit';
 import { setupMirage } from 'ember-cli-mirage/test-support';
 import JobDetail from 'nomad-ui/tests/pages/jobs/detail';
+import Tokens from 'nomad-ui/tests/pages/settings/tokens';
 
 // eslint-disable-next-line ember/no-test-module-for
 export default function moduleForJob(title, context, jobFactory, additionalTests) {
@@ -30,19 +31,28 @@ export default function moduleForJob(title, context, jobFactory, additionalTests
     });
 
     test('visiting /jobs/:job_id', async function(assert) {
-      assert.equal(
-        currentURL(),
-        urlWithNamespace(`/jobs/${encodeURIComponent(job.id)}`, job.namespace)
+      const expectedURL = new URL(
+        urlWithNamespace(`/jobs/${encodeURIComponent(job.id)}`, job.namespace),
+        window.location
       );
+      const gotURL = new URL(currentURL(), window.location);
+
+      assert.deepEqual(gotURL.path, expectedURL.path);
+      assert.deepEqual(gotURL.searchParams, expectedURL.searchParams);
       assert.equal(document.title, `Job ${job.name} - Nomad`);
     });
 
     test('the subnav links to overview', async function(assert) {
       await JobDetail.tabFor('overview').visit();
-      assert.equal(
-        currentURL(),
-        urlWithNamespace(`/jobs/${encodeURIComponent(job.id)}`, job.namespace)
+
+      const expectedURL = new URL(
+        urlWithNamespace(`/jobs/${encodeURIComponent(job.id)}`, job.namespace),
+        window.location
       );
+      const gotURL = new URL(currentURL(), window.location);
+
+      assert.deepEqual(gotURL.path, expectedURL.path);
+      assert.deepEqual(gotURL.searchParams, expectedURL.searchParams);
     });
 
     test('the subnav links to definition', async function(assert) {
@@ -128,6 +138,23 @@ export function moduleForJobWithClientStatus(title, jobFactory, additionalTests)
     setupMirage(hooks);
 
     hooks.beforeEach(async function() {
+      // Displaying the job status in client requires node:read permission.
+      const policy = server.create('policy', {
+        id: 'node-read',
+        name: 'node-read',
+        rulesJSON: {
+          Node: {
+            Policy: 'read',
+          },
+        },
+      });
+      const clientToken = server.create('token', { type: 'client' });
+      clientToken.policyIds = [policy.id];
+      clientToken.save();
+
+      window.localStorage.clear();
+      window.localStorage.nomadTokenSecret = clientToken.secretId;
+
       const clients = server.createList('node', 3, {
         datacenter: 'dc1',
         status: 'ready',
@@ -143,6 +170,23 @@ export function moduleForJobWithClientStatus(title, jobFactory, additionalTests)
       }
     });
 
+    test('job status summary is collapsed when not authorized', async function(assert) {
+      const clientToken = server.create('token', { type: 'client' });
+      await Tokens.visit();
+      await Tokens.secret(clientToken.secretId).submit();
+
+      await JobDetail.visit({ id: job.id, namespace: job.namespace });
+
+      assert.ok(
+        JobDetail.jobClientStatusSummary.toggle.isDisabled,
+        'Job client status summar is disabled'
+      );
+      assert.equal(
+        JobDetail.jobClientStatusSummary.toggle.tooltip,
+        'You don’t have permission to read clients'
+      );
+    });
+
     test('the subnav links to clients', async function(assert) {
       await JobDetail.tabFor('clients').visit();
       assert.equal(
@@ -153,13 +197,13 @@ export function moduleForJobWithClientStatus(title, jobFactory, additionalTests)
 
     test('job status summary is shown in the overview', async function(assert) {
       assert.ok(
-        JobDetail.jobClientStatusSummary.isPresent,
+        JobDetail.jobClientStatusSummary.statusBar.isPresent,
         'Summary bar is displayed in the Job Status in Client summary section'
       );
     });
 
     test('clicking legend item navigates to a pre-filtered clients table', async function(assert) {
-      const legendItem = JobDetail.jobClientStatusSummary.legend.clickableItems[0];
+      const legendItem = JobDetail.jobClientStatusSummary.statusBar.legend.clickableItems[0];
       const status = legendItem.label;
       await legendItem.click();
 
@@ -174,7 +218,7 @@ export function moduleForJobWithClientStatus(title, jobFactory, additionalTests)
     });
 
     test('clicking in a slice takes you to a pre-filtered clients table', async function(assert) {
-      const slice = JobDetail.jobClientStatusSummary.slices[0];
+      const slice = JobDetail.jobClientStatusSummary.statusBar.slices[0];
       const status = slice.label;
       await slice.click();
 
diff --git a/ui/tests/integration/components/allocation-row-test.js b/ui/tests/integration/components/allocation-row-test.js
index 018d6ba9e8d..e363f74541f 100644
--- a/ui/tests/integration/components/allocation-row-test.js
+++ b/ui/tests/integration/components/allocation-row-test.js
@@ -14,10 +14,12 @@ module('Integration | Component | allocation row', function(hooks) {
   hooks.beforeEach(function() {
     fragmentSerializerInitializer(this.owner);
     this.store = this.owner.lookup('service:store');
+    this.token = this.owner.lookup('service:token');
     this.server = startMirage();
     this.server.create('namespace');
     this.server.create('node');
     this.server.create('job', { createAllocations: false });
+    window.localStorage.clear();
   });
 
   hooks.afterEach(function() {
@@ -79,6 +81,24 @@ module('Integration | Component | allocation row', function(hooks) {
   });
 
   test('Allocation row shows warning when it requires drivers that are unhealthy on the node it is running on', async function(assert) {
+    // Driver health status require node:read permission.
+    const policy = server.create('policy', {
+      id: 'node-read',
+      name: 'node-read',
+      rulesJSON: {
+        Node: {
+          Policy: 'read',
+        },
+      },
+    });
+    const clientToken = server.create('token', { type: 'client' });
+    clientToken.policyIds = [policy.id];
+    clientToken.save();
+
+    // Set and fetch ACL token.
+    window.localStorage.nomadTokenSecret = clientToken.secretId;
+    this.token.fetchSelfTokenAndPolicies.perform();
+
     const node = this.server.schema.nodes.first();
     const drivers = node.drivers;
     Object.values(drivers).forEach(driver => {
diff --git a/ui/tests/pages/jobs/detail.js b/ui/tests/pages/jobs/detail.js
index 38b45294a11..d077e8c8630 100644
--- a/ui/tests/pages/jobs/detail.js
+++ b/ui/tests/pages/jobs/detail.js
@@ -72,7 +72,17 @@ export default create({
     return this.packStats.toArray().findBy('id', id);
   },
 
-  jobClientStatusSummary: jobClientStatusBar('[data-test-job-client-status-bar]'),
+  jobClientStatusSummary: {
+    scope: '[data-test-job-client-summary]',
+    statusBar: jobClientStatusBar('[data-test-job-client-status-bar]'),
+    toggle: {
+      scope: '[data-test-accordion-head] [data-test-accordion-toggle]',
+      click: clickable(),
+      isDisabled: attribute('disabled'),
+      tooltip: attribute('aria-label'),
+    },
+  },
+
   childrenSummary: isPresent('[data-test-job-summary] [data-test-children-status-bar]'),
   allocationsSummary: isPresent('[data-test-job-summary] [data-test-allocation-status-bar]'),
 
diff --git a/ui/tests/unit/abilities/client-test.js b/ui/tests/unit/abilities/client-test.js
index 9b0ebd59d86..2a9fe998610 100644
--- a/ui/tests/unit/abilities/client-test.js
+++ b/ui/tests/unit/abilities/client-test.js
@@ -8,26 +8,28 @@ module('Unit | Ability | client', function(hooks) {
   setupTest(hooks);
   setupAbility('client')(hooks);
 
-  test('it permits client write when ACLs are disabled', function(assert) {
+  test('it permits client read and write when ACLs are disabled', function(assert) {
     const mockToken = Service.extend({
       aclEnabled: false,
     });
     this.owner.register('service:token', mockToken);
 
+    assert.ok(this.ability.canRead);
     assert.ok(this.ability.canWrite);
   });
 
-  test('it permits client write for management tokens', function(assert) {
+  test('it permits client read and write for management tokens', function(assert) {
     const mockToken = Service.extend({
       aclEnabled: true,
       selfToken: { type: 'management' },
     });
     this.owner.register('service:token', mockToken);
 
+    assert.ok(this.ability.canRead);
     assert.ok(this.ability.canWrite);
   });
 
-  test('it permits client write for tokens with a policy that has node-write', function(assert) {
+  test('it permits client read and write for tokens with a policy that has node-write', function(assert) {
     const mockToken = Service.extend({
       aclEnabled: true,
       selfToken: { type: 'client' },
@@ -43,10 +45,11 @@ module('Unit | Ability | client', function(hooks) {
     });
     this.owner.register('service:token', mockToken);
 
+    assert.ok(this.ability.canRead);
     assert.ok(this.ability.canWrite);
   });
 
-  test('it permits client write for tokens with a policy that allows write and another policy that disallows it', function(assert) {
+  test('it permits client read and write for tokens with a policy that allows write and another policy that disallows it', function(assert) {
     const mockToken = Service.extend({
       aclEnabled: true,
       selfToken: { type: 'client' },
@@ -69,10 +72,11 @@ module('Unit | Ability | client', function(hooks) {
     });
     this.owner.register('service:token', mockToken);
 
+    assert.ok(this.ability.canRead);
     assert.ok(this.ability.canWrite);
   });
 
-  test('it blocks client write for tokens with a policy that does not allow node-write', function(assert) {
+  test('it permits client read and blocks client write for tokens with a policy that does not allow node-write', function(assert) {
     const mockToken = Service.extend({
       aclEnabled: true,
       selfToken: { type: 'client' },
@@ -88,6 +92,23 @@ module('Unit | Ability | client', function(hooks) {
     });
     this.owner.register('service:token', mockToken);
 
+    assert.ok(this.ability.canRead);
+    assert.notOk(this.ability.canWrite);
+  });
+
+  test('it blocks client read and write for tokens without a node policy', function(assert) {
+    const mockToken = Service.extend({
+      aclEnabled: true,
+      selfToken: { type: 'client' },
+      selfTokenPolicies: [
+        {
+          rulesJSON: {},
+        },
+      ],
+    });
+    this.owner.register('service:token', mockToken);
+
+    assert.notOk(this.ability.canRead);
     assert.notOk(this.ability.canWrite);
   });
 });
diff --git a/ui/tests/unit/utils/job-client-status-test.js b/ui/tests/unit/utils/job-client-status-test.js
index 801f505ab23..70a6532a49e 100644
--- a/ui/tests/unit/utils/job-client-status-test.js
+++ b/ui/tests/unit/utils/job-client-status-test.js
@@ -35,6 +35,22 @@ class NodeMock {
   }
 }
 
+class AllocationMock {
+  constructor(node, clientStatus) {
+    this.node = node;
+    this.clientStatus = clientStatus;
+  }
+
+  belongsTo() {
+    const self = this;
+    return {
+      id() {
+        return self.node.id;
+      },
+    };
+  }
+}
+
 module('Unit | Util | JobClientStatus', function() {
   test('it handles the case where all nodes are running', async function(assert) {
     const node = new NodeMock('node-1', 'dc1');
@@ -42,7 +58,7 @@ module('Unit | Util | JobClientStatus', function() {
     const job = {
       datacenters: ['dc1'],
       status: 'running',
-      allocations: [{ node, clientStatus: 'running' }],
+      allocations: [new AllocationMock(node, 'running')],
       taskGroups: [{}],
     };
     const expected = {
@@ -75,9 +91,9 @@ module('Unit | Util | JobClientStatus', function() {
       datacenters: ['dc1'],
       status: 'running',
       allocations: [
-        { node, clientStatus: 'running' },
-        { node, clientStatus: 'failed' },
-        { node, clientStatus: 'running' },
+        new AllocationMock(node, 'running'),
+        new AllocationMock(node, 'failed'),
+        new AllocationMock(node, 'running'),
       ],
       taskGroups: [{}, {}, {}],
     };
@@ -111,9 +127,9 @@ module('Unit | Util | JobClientStatus', function() {
       datacenters: ['dc1'],
       status: 'running',
       allocations: [
-        { node, clientStatus: 'lost' },
-        { node, clientStatus: 'lost' },
-        { node, clientStatus: 'lost' },
+        new AllocationMock(node, 'lost'),
+        new AllocationMock(node, 'lost'),
+        new AllocationMock(node, 'lost'),
       ],
       taskGroups: [{}, {}, {}],
     };
@@ -147,9 +163,9 @@ module('Unit | Util | JobClientStatus', function() {
       datacenters: ['dc1'],
       status: 'running',
       allocations: [
-        { node, clientStatus: 'failed' },
-        { node, clientStatus: 'failed' },
-        { node, clientStatus: 'failed' },
+        new AllocationMock(node, 'failed'),
+        new AllocationMock(node, 'failed'),
+        new AllocationMock(node, 'failed'),
       ],
       taskGroups: [{}, {}, {}],
     };
@@ -183,9 +199,9 @@ module('Unit | Util | JobClientStatus', function() {
       datacenters: ['dc1'],
       status: 'running',
       allocations: [
-        { node, clientStatus: 'running' },
-        { node, clientStatus: 'running' },
-        { node, clientStatus: 'running' },
+        new AllocationMock(node, 'running'),
+        new AllocationMock(node, 'running'),
+        new AllocationMock(node, 'running'),
       ],
       taskGroups: [{}, {}, {}, {}],
     };
@@ -251,9 +267,9 @@ module('Unit | Util | JobClientStatus', function() {
       datacenters: ['dc1'],
       status: 'pending',
       allocations: [
-        { node, clientStatus: 'starting' },
-        { node, clientStatus: 'starting' },
-        { node, clientStatus: 'starting' },
+        new AllocationMock(node, 'starting'),
+        new AllocationMock(node, 'starting'),
+        new AllocationMock(node, 'starting'),
       ],
       taskGroups: [{}, {}, {}, {}],
     };
@@ -288,9 +304,9 @@ module('Unit | Util | JobClientStatus', function() {
       datacenters: ['dc1'],
       status: 'running',
       allocations: [
-        { node: node1, clientStatus: 'running' },
-        { node: node2, clientStatus: 'failed' },
-        { node: node1, clientStatus: 'running' },
+        new AllocationMock(node1, 'running'),
+        new AllocationMock(node2, 'failed'),
+        new AllocationMock(node1, 'running'),
       ],
       taskGroups: [{}, {}],
     };