diff --git a/barbican/api/controllers/__init__.py b/barbican/api/controllers/__init__.py
index d2256122f..87df02325 100644
--- a/barbican/api/controllers/__init__.py
+++ b/barbican/api/controllers/__init__.py
@@ -219,3 +219,12 @@ class ACLMixin(object):
         acl_dict.update(co_dict)
 
         return acl_dict
+
+
+class SecretACLMixin(ACLMixin):
+
+    def get_acl_tuple(self, req, **kwargs):
+        acl = self.get_acl_dict_for_user(req, self.secret.secret_acls)
+        acl['project_id'] = self.secret.project.external_id
+        acl['creator_id'] = self.secret.creator_id
+        return 'secret', acl
diff --git a/barbican/api/controllers/secretmeta.py b/barbican/api/controllers/secretmeta.py
index 3957e1c67..a99a21648 100644
--- a/barbican/api/controllers/secretmeta.py
+++ b/barbican/api/controllers/secretmeta.py
@@ -29,7 +29,7 @@ def _secret_metadata_not_found():
                          'another castle.'))
 
 
-class SecretMetadataController(controllers.ACLMixin):
+class SecretMetadataController(controllers.SecretACLMixin):
     """Handles SecretMetadata requests by a given secret id."""
 
     def __init__(self, secret):
@@ -107,7 +107,7 @@ class SecretMetadataController(controllers.ACLMixin):
         return {'key': key, 'value': value}
 
 
-class SecretMetadatumController(controllers.ACLMixin):
+class SecretMetadatumController(controllers.SecretACLMixin):
 
     def __init__(self, secret):
         LOG.debug('=== Creating SecretMetadatumController ===')
diff --git a/barbican/api/controllers/secrets.py b/barbican/api/controllers/secrets.py
index 7e5c6ffe3..1ccc83ece 100644
--- a/barbican/api/controllers/secrets.py
+++ b/barbican/api/controllers/secrets.py
@@ -71,7 +71,7 @@ def _request_has_twsk_but_no_transport_key_id():
                          'transport key id has not been provided.'))
 
 
-class SecretController(controllers.ACLMixin):
+class SecretController(controllers.SecretACLMixin):
     """Handles Secret retrieval and deletion requests."""
 
     def __init__(self, secret):
@@ -79,12 +79,6 @@ class SecretController(controllers.ACLMixin):
         self.secret = secret
         self.transport_key_repo = repo.get_transport_key_repository()
 
-    def get_acl_tuple(self, req, **kwargs):
-        d = self.get_acl_dict_for_user(req, self.secret.secret_acls)
-        d['project_id'] = self.secret.project.external_id
-        d['creator_id'] = self.secret.creator_id
-        return 'secret', d
-
     @pecan.expose()
     def _lookup(self, sub_resource, *remainder):
         if sub_resource == 'acl':
diff --git a/barbican/common/policies/base.py b/barbican/common/policies/base.py
index c95c7f55d..6b4cb1f3d 100644
--- a/barbican/common/policies/base.py
+++ b/barbican/common/policies/base.py
@@ -82,6 +82,9 @@ rules = [
         name='secret_project_creator',
         check_str="rule:creator and rule:secret_project_match and " +
                   "rule:secret_creator_user"),
+    policy.RuleDefault(
+        name='secret_project_creator_role',
+        check_str="rule:creator and rule:secret_project_match"),
     policy.RuleDefault(
         name='container_project_admin',
         check_str="rule:admin and rule:container_project_match"),
diff --git a/barbican/common/policies/secretmeta.py b/barbican/common/policies/secretmeta.py
index 4343279b6..a6b43c376 100644
--- a/barbican/common/policies/secretmeta.py
+++ b/barbican/common/policies/secretmeta.py
@@ -16,7 +16,9 @@ from oslo_policy import policy
 rules = [
     policy.DocumentedRuleDefault(
         name='secret_meta:get',
-        check_str='rule:all_but_audit',
+        check_str='rule:secret_non_private_read or ' +
+                  'rule:secret_project_creator or ' +
+                  'rule:secret_project_admin or rule:secret_acl_read',
         scope_types=[],
         description='metadata/: Lists a secrets user-defined metadata. || ' +
                     'metadata/{key}: Retrieves a secrets user-added metadata.',
@@ -33,7 +35,10 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='secret_meta:post',
-        check_str='rule:admin_or_creator',
+        check_str='rule:secret_project_admin or ' +
+                  'rule:secret_project_creator or ' +
+                  '(rule:secret_project_creator_role and ' +
+                  'rule:secret_non_private_read)',
         scope_types=[],
         description='Adds a new key/value pair to the secrets user-defined ' +
                     'metadata.',
@@ -46,7 +51,10 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='secret_meta:put',
-        check_str='rule:admin_or_creator',
+        check_str='rule:secret_project_admin or ' +
+                  'rule:secret_project_creator or ' +
+                  '(rule:secret_project_creator_role and ' +
+                  'rule:secret_non_private_read)',
         scope_types=[],
         description='metadata/: Sets the user-defined metadata for a secret ' +
                     '|| metadata/{key}: Updates an existing key/value pair ' +
@@ -64,7 +72,10 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='secret_meta:delete',
-        check_str='rule:admin_or_creator',
+        check_str='rule:secret_project_admin or ' +
+                  'rule:secret_project_creator or ' +
+                  '(rule:secret_project_creator_role and ' +
+                  'rule:secret_non_private_read)',
         scope_types=[],
         description='Delete secret user-defined metadata by key.',
         operations=[