diff --git a/lib/cinder b/lib/cinder
index f6fd095e69..7f2f29f892 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -144,6 +144,12 @@ CINDER_IMG_CACHE_SIZE_COUNT=${CINDER_IMG_CACHE_SIZE_COUNT:-}
 # enable the cache for all cinder backends.
 CINDER_CACHE_ENABLED_FOR_BACKENDS=${CINDER_CACHE_ENABLED_FOR_BACKENDS:-$CINDER_ENABLED_BACKENDS}
 
+# Flag to set the oslo_policy.enforce_scope. This is used to switch
+# the  Volume API policies to start checking the scope of token. by default,
+# this flag is False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+CINDER_ENFORCE_SCOPE=$(trueorfalse False CINDER_ENFORCE_SCOPE)
+
 # Functions
 # ---------
 
@@ -347,6 +353,11 @@ function configure_cinder {
     elif is_service_enabled etcd3; then
         iniset $CINDER_CONF coordination backend_url "etcd3+http://${SERVICE_HOST}:$ETCD_PORT"
     fi
+
+    if [[ "$CINDER_ENFORCE_SCOPE" == True ]] ; then
+        iniset $CINDER_CONF oslo_policy enforce_scope true
+        iniset $CINDER_CONF oslo_policy enforce_new_defaults true
+    fi
 }
 
 # create_cinder_accounts() - Set up common required cinder accounts
diff --git a/lib/tempest b/lib/tempest
index 4eacfa09ca..c60a47b549 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -607,6 +607,8 @@ function configure_tempest {
         iniset $TEMPEST_CONFIG auth admin_project_name ''
     fi
 
+    iniset $TEMPEST_CONFIG enforce_scope cinder "$CINDER_ENFORCE_SCOPE"
+
     if [ "$VIRT_DRIVER" = "libvirt" ] && [ "$LIBVIRT_TYPE" = "lxc" ]; then
         # libvirt-lxc does not support boot from volume or attaching volumes
         # so basically anything with cinder is out of the question.