diff --git a/cloudkitty/common/policies/base.py b/cloudkitty/common/policies/base.py
index 66c0d38e..6a8f2690 100644
--- a/cloudkitty/common/policies/base.py
+++ b/cloudkitty/common/policies/base.py
@@ -25,7 +25,9 @@ rules = [
         check_str='role:admin'),
     policy.RuleDefault(
         name='admin_or_owner',
-        check_str='is_admin:True or tenant:%(tenant_id)s'),
+        check_str='is_admin:True or '
+                  '(role:admin and is_admin_project:True) or '
+                  'tenant:%(tenant_id)s'),
     policy.RuleDefault(
         name='default',
         check_str=UNPROTECTED)
diff --git a/doc/source/_static/cloudkitty.policy.yaml.sample b/doc/source/_static/cloudkitty.policy.yaml.sample
index 7c99eb74..aba3443b 100644
--- a/doc/source/_static/cloudkitty.policy.yaml.sample
+++ b/doc/source/_static/cloudkitty.policy.yaml.sample
@@ -1,10 +1,7 @@
-#
 #"context_is_admin": "role:admin"
 
-#
-#"admin_or_owner": "is_admin:True or tenant:%(tenant_id)s"
+#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or tenant:%(tenant_id)s"
 
-#
 #"default": ""
 
 # Return the list of every services mapped to a collector.
@@ -48,7 +45,7 @@
 # GET  /v1/info/config
 #"info:get_config": ""
 
-# Reture the list of loaded modules in Cloudkitty.
+# Return the list of loaded modules in Cloudkitty.
 # LIST  /v1/rating/modules
 #"rating:list_modules": "role:admin"