diff --git a/test/common/services/security/role_mappings.ts b/test/common/services/security/role_mappings.ts
index 7951d4b5b47b2..267294991f30e 100644
--- a/test/common/services/security/role_mappings.ts
+++ b/test/common/services/security/role_mappings.ts
@@ -23,10 +23,24 @@ import { KbnClient, ToolingLog } from '@kbn/dev-utils';
 export class RoleMappings {
   constructor(private log: ToolingLog, private kbnClient: KbnClient) {}
 
+  public async getAll() {
+    this.log.debug(`Getting role mappings`);
+    const { data, status, statusText } = await this.kbnClient.request<Array<{ name: string }>>({
+      path: `/internal/security/role_mapping`,
+      method: 'GET',
+    });
+    if (status !== 200) {
+      throw new Error(
+        `Expected status code of 200, received ${status} ${statusText}: ${util.inspect(data)}`
+      );
+    }
+    return data;
+  }
+
   public async create(name: string, roleMapping: Record<string, any>) {
     this.log.debug(`creating role mapping ${name}`);
     const { data, status, statusText } = await this.kbnClient.request({
-      path: `/internal/security/role_mapping/${name}`,
+      path: `/internal/security/role_mapping/${encodeURIComponent(name)}`,
       method: 'POST',
       body: roleMapping,
     });
@@ -41,7 +55,7 @@ export class RoleMappings {
   public async delete(name: string) {
     this.log.debug(`deleting role mapping ${name}`);
     const { data, status, statusText } = await this.kbnClient.request({
-      path: `/internal/security/role_mapping/${name}`,
+      path: `/internal/security/role_mapping/${encodeURIComponent(name)}`,
       method: 'DELETE',
     });
     if (status !== 200 && status !== 404) {
diff --git a/x-pack/test/functional/apps/security/role_mappings.ts b/x-pack/test/functional/apps/security/role_mappings.ts
index 60c166d837933..96f16aebd11b9 100644
--- a/x-pack/test/functional/apps/security/role_mappings.ts
+++ b/x-pack/test/functional/apps/security/role_mappings.ts
@@ -17,6 +17,10 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
 
   describe('Role Mappings', function () {
     before(async () => {
+      // Delete any existing role mappings. ESS commonly sets up a role mapping automatically.
+      const existingMappings = await security.roleMappings.getAll();
+      await Promise.all(existingMappings.map((m) => security.roleMappings.delete(m.name)));
+
       await pageObjects.common.navigateToApp('roleMappings');
     });