diff --git a/barbican/common/policies/secretmeta.py b/barbican/common/policies/secretmeta.py
index 2b629bf99..ab75b51ce 100644
--- a/barbican/common/policies/secretmeta.py
+++ b/barbican/common/policies/secretmeta.py
@@ -14,13 +14,20 @@ from oslo_policy import policy
 
 
 _MEMBER = "role:member"
+_ADMIN = "role:admin"
+_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.secret.project_id)s"
+_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.secret.project_id)s"
+_SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
+_SECRET_IS_NOT_PRIVATE = "True:%(target.secret.read_project_access)s"
+
 rules = [
     policy.DocumentedRuleDefault(
         name='secret_meta:get',
         check_str='rule:secret_non_private_read or ' +
                   'rule:secret_project_creator or ' +
                   'rule:secret_project_admin or rule:secret_acl_read or ' +
-                  f'{_MEMBER}',
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
         scope_types=['project'],
         description='metadata/: Lists a secrets user-defined metadata. || ' +
                     'metadata/{key}: Retrieves a secrets user-added metadata.',
@@ -40,7 +47,9 @@ rules = [
         check_str='rule:secret_project_admin or ' +
                   'rule:secret_project_creator or ' +
                   '(rule:secret_project_creator_role and ' +
-                  f'rule:secret_non_private_read) or {_MEMBER}',
+                  'rule:secret_non_private_read) or ' +
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
         scope_types=['project'],
         description='Adds a new key/value pair to the secrets user-defined ' +
                     'metadata.',
@@ -56,7 +65,9 @@ rules = [
         check_str='rule:secret_project_admin or ' +
                   'rule:secret_project_creator or ' +
                   '(rule:secret_project_creator_role and ' +
-                  f'rule:secret_non_private_read) or {_MEMBER}',
+                  'rule:secret_non_private_read) or ' +
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
         scope_types=['project'],
         description='metadata/: Sets the user-defined metadata for a secret ' +
                     '|| metadata/{key}: Updates an existing key/value pair ' +
@@ -77,7 +88,9 @@ rules = [
         check_str='rule:secret_project_admin or ' +
                   'rule:secret_project_creator or ' +
                   '(rule:secret_project_creator_role and ' +
-                  f'rule:secret_non_private_read) or {_MEMBER}',
+                  'rule:secret_non_private_read) or ' +
+                  f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
+                  f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
         scope_types=['project'],
         description='Delete secret user-defined metadata by key.',
         operations=[