diff --git a/Documentation/access-control.txt b/Documentation/access-control.txt
index 8b2fd64f68..8ff2eb6238 100644
--- a/Documentation/access-control.txt
+++ b/Documentation/access-control.txt
@@ -1311,6 +1311,12 @@ capability allows the granted group to
 link:cmd-show-connections.html[look at Gerrit's current connections via ssh].
 
 
+[[capability_viewPlugins]]
+=== View Plugins
+
+Allow viewing the list of installed plugins.
+
+
 [[capability_viewQueue]]
 === View Queue
 
diff --git a/Documentation/rest-api-accounts.txt b/Documentation/rest-api-accounts.txt
index ac5bd54a3c..28014295f9 100644
--- a/Documentation/rest-api-accounts.txt
+++ b/Documentation/rest-api-accounts.txt
@@ -659,6 +659,7 @@ Administrator that has authenticated with digest authentication:
     "viewCaches": true,
     "flushCaches": true,
     "viewConnections": true,
+    "viewPlugins": true,
     "viewQueue": true,
     "runGC": true
   }
@@ -1145,6 +1146,8 @@ link:access-control.html#capability_viewCaches[View Caches] capability.
 |`viewConnections`   |not set if `false`|Whether the user has the
 link:access-control.html#capability_viewConnections[View Connections]
 capability.
+|`viewPlugins`       |not set if `false`|Whether the user has the
+link:access-control.html#capability_viewPlugins[View Plugins] capability.
 |`viewQueue`         |not set if `false`|Whether the user has the
 link:access-control.html#capability_viewQueue[View Queue] capability.
 |=================================
diff --git a/Documentation/rest-api-config.txt b/Documentation/rest-api-config.txt
index 6c02bb66c1..6a3b34ea35 100644
--- a/Documentation/rest-api-config.txt
+++ b/Documentation/rest-api-config.txt
@@ -126,6 +126,11 @@ The entries in the map are sorted by capability ID.
       "id": "viewConnections",
       "name": "View Connections"
     },
+    "viewPlugins": {
+      "kind": "gerritcodereview#capability",
+      "id": "viewPlugins",
+      "name": "View Plugins"
+    },
     "viewQueue": {
       "kind": "gerritcodereview#capability",
       "id": "viewQueue",
diff --git a/Documentation/rest-api-plugins.txt b/Documentation/rest-api-plugins.txt
index 89a22f0c3f..0011213a16 100644
--- a/Documentation/rest-api-plugins.txt
+++ b/Documentation/rest-api-plugins.txt
@@ -23,6 +23,10 @@ namespace.
 Lists the plugins installed on the Gerrit server. Only the enabled
 plugins are returned unless the `all` option is specified.
 
+To be allowed to see the installed plugins, a user must be a member of
+a group that is granted the 'View Plugins' capability or the
+'Administrate Server' capability.
+
 As result a map is returned that maps the plugin IDs to
 link:#plugin-info[PluginInfo] entries. The entries in the map are sorted
 by plugin ID.
diff --git a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java
index dbc1dd8dc7..adbf10aced 100644
--- a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java
+++ b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/account/CapabilityInfo.java
@@ -32,6 +32,7 @@ class CapabilityInfo {
   public boolean viewAllAccounts;
   public boolean viewCaches;
   public boolean viewConnections;
+  public boolean viewPlugins;
   public boolean viewQueue;
 
   static class QueryLimit {
diff --git a/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java b/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java
index 80a04fa2fc..d9ad274374 100644
--- a/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java
+++ b/gerrit-common/src/main/java/com/google/gerrit/common/data/GlobalCapability.java
@@ -88,6 +88,9 @@ public class GlobalCapability {
   /** Can view open connections to the server's SSH port. */
   public static final String VIEW_CONNECTIONS = "viewConnections";
 
+  /** Can view all installed plugins. */
+  public static final String VIEW_PLUGINS = "viewPlugins";
+
   /** Can view all pending tasks in the queue (not just the filtered set). */
   public static final String VIEW_QUEUE = "viewQueue";
 
@@ -112,6 +115,7 @@ public class GlobalCapability {
     NAMES_ALL.add(VIEW_ALL_ACCOUNTS);
     NAMES_ALL.add(VIEW_CACHES);
     NAMES_ALL.add(VIEW_CONNECTIONS);
+    NAMES_ALL.add(VIEW_PLUGINS);
     NAMES_ALL.add(VIEW_QUEUE);
 
     NAMES_LC = new ArrayList<>(NAMES_ALL.size());
diff --git a/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java b/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java
index 600c8d8aaf..b7857e465f 100644
--- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java
+++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java
@@ -14,9 +14,9 @@
 
 package com.google.gerrit.client;
 
-import static com.google.gerrit.common.data.GlobalCapability.ADMINISTRATE_SERVER;
 import static com.google.gerrit.common.data.GlobalCapability.CREATE_GROUP;
 import static com.google.gerrit.common.data.GlobalCapability.CREATE_PROJECT;
+import static com.google.gerrit.common.data.GlobalCapability.VIEW_PLUGINS;
 
 import com.google.gerrit.client.account.AccountCapabilities;
 import com.google.gerrit.client.account.AccountInfo;
@@ -649,14 +649,14 @@ public class Gerrit implements EntryPoint {
                 PageLinks.ADMIN_CREATE_GROUP,
                 peopleBar.getWidgetIndex(groupsListMenuItem) + 1);
           }
-          if (result.canPerform(ADMINISTRATE_SERVER)) {
+          if (result.canPerform(VIEW_PLUGINS)) {
             insertLink(pluginsBar, C.menuPluginsInstalled(),
                 PageLinks.ADMIN_PLUGINS, 0);
             menuLeft.insert(pluginsBar, C.menuPlugins(),
                 menuLeft.getWidgetIndex(peopleBar) + 1);
           }
         }
-      }, CREATE_PROJECT, CREATE_GROUP, ADMINISTRATE_SERVER);
+      }, CREATE_PROJECT, CREATE_GROUP, VIEW_PLUGINS);
     }
 
     if (getConfig().isDocumentationAvailable()) {
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
index aad22eb0b7..7556173015 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/CapabilityControl.java
@@ -134,6 +134,12 @@ public class CapabilityControl {
         || canAdministrateServer();
   }
 
+  /** @return true if the user can view the installed plugins. */
+  public boolean canViewPlugins() {
+    return canPerform(GlobalCapability.VIEW_PLUGINS)
+      || canAdministrateServer();
+  }
+
   /** @return true if the user can view the entire queue. */
   public boolean canViewQueue() {
     return canPerform(GlobalCapability.VIEW_QUEUE)
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
index e02f5a2730..465ddab59a 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/GetCapabilities.java
@@ -27,6 +27,7 @@ import static com.google.gerrit.common.data.GlobalCapability.STREAM_EVENTS;
 import static com.google.gerrit.common.data.GlobalCapability.VIEW_ALL_ACCOUNTS;
 import static com.google.gerrit.common.data.GlobalCapability.VIEW_CACHES;
 import static com.google.gerrit.common.data.GlobalCapability.VIEW_CONNECTIONS;
+import static com.google.gerrit.common.data.GlobalCapability.VIEW_PLUGINS;
 import static com.google.gerrit.common.data.GlobalCapability.VIEW_QUEUE;
 
 import com.google.common.collect.Iterables;
@@ -117,6 +118,7 @@ class GetCapabilities implements RestReadView<AccountResource> {
     have.put(VIEW_ALL_ACCOUNTS, cc.canViewAllAccounts());
     have.put(VIEW_CACHES, cc.canViewCaches());
     have.put(VIEW_CONNECTIONS, cc.canViewConnections());
+    have.put(VIEW_PLUGINS, cc.canViewPlugins());
     have.put(VIEW_QUEUE, cc.canViewQueue());
 
     QueueProvider.QueueType queue = cc.getQueueType();
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java b/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java
index 26081ca42f..289173b0ae 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/config/CapabilityConstants.java
@@ -38,5 +38,6 @@ public class CapabilityConstants extends TranslationBundle {
   public String viewAllAccounts;
   public String viewCaches;
   public String viewConnections;
+  public String viewPlugins;
   public String viewQueue;
 }
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/plugins/ListPlugins.java b/gerrit-server/src/main/java/com/google/gerrit/server/plugins/ListPlugins.java
index a2348f3f95..c3f43382f3 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/plugins/ListPlugins.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/plugins/ListPlugins.java
@@ -40,7 +40,7 @@ import java.util.List;
 import java.util.Map;
 
 /** List the installed plugins. */
-@RequiresCapability(GlobalCapability.ADMINISTRATE_SERVER)
+@RequiresCapability(GlobalCapability.VIEW_PLUGINS)
 public class ListPlugins implements RestReadView<TopLevelResource> {
   private final PluginLoader pluginLoader;
 
diff --git a/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties b/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties
index 8d1e983dd8..9eb7d9b420 100644
--- a/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties
+++ b/gerrit-server/src/main/resources/com/google/gerrit/server/config/CapabilityConstants.properties
@@ -14,4 +14,5 @@ streamEvents = Stream Events
 viewAllAccounts = View All Accounts
 viewCaches = View Caches
 viewConnections = View Connections
+viewPlugins = View Plugins
 viewQueue = View Queue