diff --git a/README.rst b/README.rst
index aff004e5..67387541 100644
--- a/README.rst
+++ b/README.rst
@@ -26,6 +26,11 @@ Set up your ``local.conf`` to enable heat-dashboard::
     [[local|localrc]]
     enable_plugin heat-dashboard https://git.openstack.org/openstack/heat-dashboard
 
+
+.. note::
+
+    You also need to install Heat itself into DevStack to use Heat Dashboard.
+
 Manual Installation
 -------------------
 
@@ -59,6 +64,11 @@ Enable heat-dashboard plugin in your Horizon environment::
     cp heat-dashboard/heat_dashboard/enabled/* \
       horizon/openstack_dashboard/local/enabled
 
+Copy Heat policy file to your Horizon  environment::
+
+    cp heat-dashboard/etc/heat_policy.json \
+      horizon/openstack_dashboard/conf
+
 Finally you can launch Horizon with Heat Dashboard plugin::
 
     cd horizon
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 1039ae72..c0b165b1 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -16,6 +16,7 @@ function install_heat_dashboard {
 
 function configure_heat_dashboard {
     cp -a ${HEAT_DASHBOARD_DIR}/heat_dashboard/enabled/* ${DEST}/horizon/openstack_dashboard/local/enabled/
+    cp -a ${HEAT_DASHBOARD_DIR}/etc/heat_policy.json ${DEST}/horizon/conf/
     # NOTE: If locale directory does not exist, compilemessages will fail,
     # so check for an existence of locale directory is required.
     if [ -d ${HEAT_DASHBOARD_DIR}/heat_dashboard/locale ]; then
diff --git a/doc/source/install/installation_contents.rst b/doc/source/install/installation_contents.rst
index ef4da0a9..5e1b87fe 100644
--- a/doc/source/install/installation_contents.rst
+++ b/doc/source/install/installation_contents.rst
@@ -6,6 +6,11 @@ Set up your ``local.conf`` to enable heat-dashboard::
     [[local|localrc]]
     enable_plugin heat-dashboard https://git.openstack.org/openstack/heat-dashboard
 
+
+.. note::
+
+    You also need to install Heat itself into DevStack to use Heat Dashboard.
+
 Manual Installation
 -------------------
 
@@ -39,6 +44,11 @@ Enable heat-dashboard plugin in your Horizon environment::
     cp heat-dashboard/heat_dashboard/enabled/* \
       horizon/openstack_dashboard/local/enabled
 
+Copy Heat policy file to your Horizon  environment::
+
+    cp heat-dashboard/etc/heat_policy.json \
+      horizon/openstack_dashboard/conf
+
 Finally you can launch Horizon with Heat Dashboard plugin::
 
     cd horizon
diff --git a/etc/heat_policy.json b/etc/heat_policy.json
new file mode 100644
index 00000000..b40b1eef
--- /dev/null
+++ b/etc/heat_policy.json
@@ -0,0 +1,92 @@
+{
+    "context_is_admin":  "role:admin",
+    "deny_stack_user": "not role:heat_stack_user",
+    "deny_everybody": "!",
+
+    "cloudformation:ListStacks": "rule:deny_stack_user",
+    "cloudformation:CreateStack": "rule:deny_stack_user",
+    "cloudformation:DescribeStacks": "rule:deny_stack_user",
+    "cloudformation:DeleteStack": "rule:deny_stack_user",
+    "cloudformation:UpdateStack": "rule:deny_stack_user",
+    "cloudformation:CancelUpdateStack": "rule:deny_stack_user",
+    "cloudformation:DescribeStackEvents": "rule:deny_stack_user",
+    "cloudformation:ValidateTemplate": "rule:deny_stack_user",
+    "cloudformation:GetTemplate": "rule:deny_stack_user",
+    "cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
+    "cloudformation:DescribeStackResource": "",
+    "cloudformation:DescribeStackResources": "rule:deny_stack_user",
+    "cloudformation:ListStackResources": "rule:deny_stack_user",
+
+    "cloudwatch:DeleteAlarms": "rule:deny_stack_user",
+    "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
+    "cloudwatch:DescribeAlarms": "rule:deny_stack_user",
+    "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
+    "cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
+    "cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
+    "cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
+    "cloudwatch:ListMetrics": "rule:deny_stack_user",
+    "cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
+    "cloudwatch:PutMetricData": "",
+    "cloudwatch:SetAlarmState": "rule:deny_stack_user",
+
+    "actions:action": "rule:deny_stack_user",
+    "build_info:build_info": "rule:deny_stack_user",
+    "events:index": "rule:deny_stack_user",
+    "events:show": "rule:deny_stack_user",
+    "resource:index": "rule:deny_stack_user",
+    "resource:metadata": "",
+    "resource:signal": "",
+    "resource:mark_unhealthy": "rule:deny_stack_user",
+    "resource:show": "rule:deny_stack_user",
+    "stacks:abandon": "rule:deny_stack_user",
+    "stacks:create": "rule:deny_stack_user",
+    "stacks:delete": "rule:deny_stack_user",
+    "stacks:detail": "rule:deny_stack_user",
+    "stacks:export": "rule:deny_stack_user",
+    "stacks:generate_template": "rule:deny_stack_user",
+    "stacks:global_index": "rule:deny_everybody",
+    "stacks:index": "rule:deny_stack_user",
+    "stacks:list_resource_types": "rule:deny_stack_user",
+    "stacks:list_template_versions": "rule:deny_stack_user",
+    "stacks:list_template_functions": "rule:deny_stack_user",
+    "stacks:lookup": "",
+    "stacks:preview": "rule:deny_stack_user",
+    "stacks:resource_schema": "rule:deny_stack_user",
+    "stacks:show": "rule:deny_stack_user",
+    "stacks:template": "rule:deny_stack_user",
+    "stacks:environment": "rule:deny_stack_user",
+    "stacks:update": "rule:deny_stack_user",
+    "stacks:update_patch": "rule:deny_stack_user",
+    "stacks:preview_update": "rule:deny_stack_user",
+    "stacks:preview_update_patch": "rule:deny_stack_user",
+    "stacks:validate_template": "rule:deny_stack_user",
+    "stacks:snapshot": "rule:deny_stack_user",
+    "stacks:show_snapshot": "rule:deny_stack_user",
+    "stacks:delete_snapshot": "rule:deny_stack_user",
+    "stacks:list_snapshots": "rule:deny_stack_user",
+    "stacks:restore_snapshot": "rule:deny_stack_user",
+    "stacks:list_outputs": "rule:deny_stack_user",
+    "stacks:show_output": "rule:deny_stack_user",
+
+    "software_configs:global_index": "rule:deny_everybody",
+    "software_configs:index": "rule:deny_stack_user",
+    "software_configs:create": "rule:deny_stack_user",
+    "software_configs:show": "rule:deny_stack_user",
+    "software_configs:delete": "rule:deny_stack_user",
+    "software_deployments:index": "rule:deny_stack_user",
+    "software_deployments:create": "rule:deny_stack_user",
+    "software_deployments:show": "rule:deny_stack_user",
+    "software_deployments:update": "rule:deny_stack_user",
+    "software_deployments:delete": "rule:deny_stack_user",
+    "software_deployments:metadata": "",
+
+    "service:index": "rule:context_is_admin",
+
+    "resource_types:OS::Nova::Flavor": "rule:context_is_admin",
+    "resource_types:OS::Cinder::EncryptedVolumeType": "rule:context_is_admin",
+    "resource_types:OS::Cinder::VolumeType": "rule:context_is_admin",
+    "resource_types:OS::Manila::ShareType": "rule:context_is_admin",
+    "resource_types:OS::Neutron::QoSPolicy": "rule:context_is_admin",
+    "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:context_is_admin",
+    "resource_types:OS::Nova::HostAggregate": "rule:context_is_admin"
+}