diff --git a/README.md b/README.md
index b73fe95..d2f936b 100644
--- a/README.md
+++ b/README.md
@@ -67,6 +67,10 @@ Attributes
 * `cinder["rbd_pool"]` - RADOS Block Device pool to use
 * `cinder["rbd_user"]` - User for Cephx Authentication
 * `cinder["rbd_secret_uuid"]` - Secret UUID for Cephx Authentication
+* `cinder["policy"]["context_is_admin"]` - Define administrators
+* `cinder["policy"]["default"]` - default volume operations rule
+* `cinder["policy"]["admin_or_owner"]` - Define an admin or owner
+* `cinder["policy"]["admin_api"]` - Define api admin
 
 Testing
 =====
diff --git a/attributes/default.rb b/attributes/default.rb
index 7b03f24..52d256a 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -112,6 +112,12 @@ default["cinder"]["rbd_pool"] = "rbd"
 default["cinder"]["rbd_user"] = nil
 default["cinder"]["rbd_secret_uuid"] = nil
 
+# Cinder Policy defaults
+default["cinder"]["policy"]["context_is_admin"] = '["role:admin"]'
+default["cinder"]["policy"]["default"] = '["rule:admin_or_owner"]'
+default["cinder"]["policy"]["admin_or_owner"] = '["is_admin:True"], ["project_id:%(project_id)s"]'
+default["cinder"]["policy"]["admin_api"] = '["is_admin:True"]'
+
 case platform
 when "fedora", "redhat", "centos" # :pragma-foodcritic: ~FC024 - won't fix this
   default["cinder"]["platform"] = {
diff --git a/recipes/api.rb b/recipes/api.rb
index 6323957..13f1af6 100644
--- a/recipes/api.rb
+++ b/recipes/api.rb
@@ -102,3 +102,11 @@ template "/etc/cinder/api-paste.ini" do
 
   notifies :restart, "service[cinder-api]", :immediately
 end
+
+template "/etc/cinder/policy.json" do
+  source "policy.json.erb"
+  owner  node["cinder"]["user"]
+  group  node["cinder"]["group"]
+  mode   00644
+  notifies :restart, "service[cinder-api]"
+end
diff --git a/spec/api_spec.rb b/spec/api_spec.rb
index 4c703ea..2583ecd 100644
--- a/spec/api_spec.rb
+++ b/spec/api_spec.rb
@@ -101,6 +101,8 @@ describe "cinder::api" do
       expect(@chef_run).to execute_command cmd
     end
 
+    expect_creates_policy_json "service[cinder-api]"
+
     describe "api-paste.ini" do
       before do
         @file = @chef_run.template "/etc/cinder/api-paste.ini"
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 2823379..a330b97 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -50,3 +50,23 @@ def expect_creates_cinder_conf service, action=:restart
     end
   end 
 end
+
+def expect_creates_policy_json service, action=:restart
+  describe "policy.json" do
+    before do
+      @file = @chef_run.template "/etc/cinder/policy.json"
+    end
+
+    it "has proper owner" do
+      expect(@file).to be_owned_by "cinder", "cinder"
+    end
+
+    it "has proper modes" do
+      expect(sprintf("%o", @file.mode)).to eq "644"
+    end
+
+    it "notifies nova-api-ec2 restart" do
+      expect(@file).to notify service, action
+    end
+  end
+end
diff --git a/templates/default/policy.json.erb b/templates/default/policy.json.erb
new file mode 100644
index 0000000..37cf8c8
--- /dev/null
+++ b/templates/default/policy.json.erb
@@ -0,0 +1,35 @@
+<%= node["cinder"]["custom_template_banner"] %>
+{
+    "context_is_admin": [<%= node["cinder"]["policy"]["context_is_admin"] %>],
+    "admin_or_owner":  [<%= node["cinder"]["policy"]["admin_or_owner"] %>],
+    "default": [<%= node["cinder"]["policy"]["default"] %>],
+
+    "admin_api": [<%= node["cinder"]["policy"]["admin_api"] %>],
+
+    "volume:create": [],
+    "volume:get_all": [],
+    "volume:get_volume_metadata": [],
+    "volume:get_snapshot": [],
+    "volume:get_all_snapshots": [],
+
+    "volume_extension:types_manage": [["rule:admin_api"]],
+    "volume_extension:types_extra_specs": [["rule:admin_api"]],
+    "volume_extension:extended_snapshot_attributes": [],
+    "volume_extension:volume_image_metadata": [],
+
+    "volume_extension:quotas:show": [],
+    "volume_extension:quotas:update_for_project": [["rule:admin_api"]],
+    "volume_extension:quotas:update_for_user": [["rule:admin_or_projectadmin"]],
+    "volume_extension:quota_classes": [],
+
+    "volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]],
+    "volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]],
+    "volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]],
+    "volume_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]],
+
+    "volume_extension:volume_host_attribute": [["rule:admin_api"]],
+    "volume_extension:volume_tenant_attribute": [["rule:admin_api"]],
+    "volume_extension:hosts": [["rule:admin_api"]],
+    "volume_extension:services": [["rule:admin_api"]],
+    "volume:services": [["rule:admin_api"]]
+}