diff --git a/.zuul.yaml b/.zuul.yaml
index da61788..01a1c16 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -42,7 +42,7 @@
         test-config:
           $TEMPEST_CONFIG:
             auth:
-              tempest_roles: creator
+              create_isolated_networks: False
             image-feature-enabled:
               # this may be removed soon, as api_v1 is false since tempest>=20
               api_v1: False
@@ -159,21 +159,20 @@
     name: barbican-tempest-plugin-simple-crypto-secure-rbac
     parent: barbican-tempest-plugin-simple-crypto
     vars:
+      devstack_localrc:
+        ENFORCE_SCOPE: True
       devstack_local_conf:
-        post-config:
-          $BARBICAN_CONF:
-            oslo_policy:
-              enforce_new_defaults: True
-              enforce_scope: True
-            # (lpiwowar): Uncomment once this bug is resolved:
-            # https://bugs.launchpad.net/barbican/+bug/2043457
-            # secretstore:
-            #  enable_multiple_secret_stores: True
-            #  stores_lookup_suffix: simple_crypto
-            # secretstore:simple_crypto:
-            #  secret_store_plugin: store_crypto
-            #  crypto_plugin: simple_crypto
-            #  global_default: true
+        # (lpiwowar): Uncomment once this bug is resolved:
+        # https://bugs.launchpad.net/barbican/+bug/2043457
+        # post-config:
+        #   $BARBICAN_CONF:
+        #     secretstore:
+        #      enable_multiple_secret_stores: True
+        #      stores_lookup_suffix: simple_crypto
+        #     secretstore:simple_crypto:
+        #      secret_store_plugin: store_crypto
+        #      crypto_plugin: simple_crypto
+        #      global_default: true
         test-config:
           $TEMPEST_CONFIG:
             enforce_scope:
diff --git a/barbican_tempest_plugin/tests/api/base.py b/barbican_tempest_plugin/tests/api/base.py
index aa500f7..50ae662 100644
--- a/barbican_tempest_plugin/tests/api/base.py
+++ b/barbican_tempest_plugin/tests/api/base.py
@@ -61,8 +61,7 @@ class BaseKeyManagerTest(test.BaseTestCase,
                          api_version_utils.BaseMicroversionTest):
     """Base class for all api tests."""
 
-    # Why do I have to be an admin to create secrets? No idea...
-    credentials = ('admin', ['service_admin', 'key-manager:service-admin'])
+    credentials = ['project_admin']
     client_manager = clients.Clients
     created_objects = {}
 
@@ -88,8 +87,6 @@ class BaseKeyManagerTest(test.BaseTestCase,
         cls.secret_consumer_client = os.secret_v1_1.SecretConsumerClient()
         cls.secret_metadata_client = os.secret_v1.SecretMetadataClient()
         cls.version_client = os.secret_v1_1.VersionClient()
-
-        os = getattr(cls, 'os_roles_%s' % cls.credentials[1][0])
         cls.quota_client = os.secret_v1.QuotaClient()
 
     @classmethod
diff --git a/barbican_tempest_plugin/tests/api/test_quotas.py b/barbican_tempest_plugin/tests/api/test_quotas.py
index f2e00c1..e9cc39a 100644
--- a/barbican_tempest_plugin/tests/api/test_quotas.py
+++ b/barbican_tempest_plugin/tests/api/test_quotas.py
@@ -16,7 +16,7 @@ from barbican_tempest_plugin.tests.api import base
 
 from tempest import config
 from tempest.lib import decorators
-from tempest.lib import exceptions
+
 
 CONF = config.CONF
 
@@ -26,26 +26,19 @@ class QuotasTest(base.BaseKeyManagerTest):
 
     @decorators.idempotent_id('47ebc42b-0e53-4060-b1a1-55bee2c7c43f')
     def test_get_effective_quota(self):
-        if CONF.enforce_scope.barbican:
-            # This test is using key-manager:service-admin legacy
-            # role. User with only this role should get a Forbidden
-            # error when trying to get effective quotas in SRBAC
-            # environment.
-            self.assertRaises(
-                exceptions.Forbidden,
-                self.quota_client.get_default_project_quota)
-        else:
-            body = self.quota_client.get_default_project_quota()
-            quotas = body.get('quotas')
-            self.assertEqual(-1, quotas.get('secrets'))
-            self.assertEqual(-1, quotas.get('cas'))
-            self.assertEqual(-1, quotas.get('orders'))
-            self.assertEqual(-1, quotas.get('containers'))
-            self.assertEqual(-1, quotas.get('consumers'))
+        body = self.quota_client.get_default_project_quota()
+        quotas = body.get('quotas')
+        self.assertEqual(-1, quotas.get('secrets'))
+        self.assertEqual(-1, quotas.get('cas'))
+        self.assertEqual(-1, quotas.get('orders'))
+        self.assertEqual(-1, quotas.get('containers'))
+        self.assertEqual(-1, quotas.get('consumers'))
 
 
 class ProjectQuotasTest(base.BaseKeyManagerTest):
 
+    credentials = ['admin', ['service_admin', 'key-manager:service-admin']]
+
     @classmethod
     def skip_checks(cls):
         super().skip_checks()
@@ -56,6 +49,11 @@ class ProjectQuotasTest(base.BaseKeyManagerTest):
             raise cls.skipException("enforce_scope is enabled for barbican, "
                                     "skipping project quota tests.")
 
+    @classmethod
+    def setup_clients(cls):
+        super().setup_clients()
+        cls.quota_client = cls.os_roles_service_admin.secret_v1.QuotaClient()
+
     @decorators.idempotent_id('07dec492-7f19-4d94-a9d7-28c0643db1bc')
     def test_manage_project_quotas(self):
         # Confirm that there are no quotas