diff --git a/glare/common/policy.py b/glare/common/policy.py
index 0ea2cb5..fabdd58 100644
--- a/glare/common/policy.py
+++ b/glare/common/policy.py
@@ -69,7 +69,13 @@ artifact_policy_rules = [
                        "Policy to set custom location for artifact"),
     policy.RuleDefault("artifact:upload", "rule:admin_or_owner",
                        "Policy to upload blob for artifact"),
-    policy.RuleDefault("artifact:download", "",
+    policy.RuleDefault("artifact:download_deactivated",
+                       "'deactivated':%(status)s and rule:context_is_admin "
+                       "or not 'deactivated':%(status)s",
+                       "Policy to download blob from deactivated artifact"),
+    policy.RuleDefault("artifact:download",
+                       "rule:admin_or_owner and "
+                       "rule:artifact:download_deactivated",
                        "Policy to download blob from artifact"),
 ]
 
diff --git a/glare/engine.py b/glare/engine.py
index f647cce..19b920e 100644
--- a/glare/engine.py
+++ b/glare/engine.py
@@ -541,11 +541,6 @@ class Engine(object):
         blob_name = "%s[%s]" % (field_name, blob_key)\
             if blob_key else field_name
 
-        if af.status == 'deactivated' and not context.is_admin:
-            msg = _("Only admin is allowed to download artifact data "
-                    "when it's deactivated")
-            raise exception.Forbidden(message=msg)
-
         if af.status == 'deleted':
             msg = _("Cannot download data when artifact is deleted")
             raise exception.Forbidden(message=msg)