diff --git a/heat/common/policy.py b/heat/common/policy.py
index 7ade8403ea..6c904efedd 100644
--- a/heat/common/policy.py
+++ b/heat/common/policy.py
@@ -24,7 +24,6 @@ import six
 
 from heat.common import exception
 
-
 CONF = cfg.CONF
 LOG = logging.getLogger(__name__)
 
@@ -111,5 +110,12 @@ class ResourceEnforcer(Enforcer):
                 return result
 
     def enforce_stack(self, stack, scope=None, target=None):
+        stack.preview_resources()
         for res in stack.resources.values():
+            if res.has_nested():
+                self.enforce_stack(res.nested())
+                # After the preview_resources() call nested stack name will
+                # be equal to stack.name + res.name, without uuid part. Get
+                # rid of the side effect of preview.
+                res._nested = None
             self.enforce(stack.context, res.type(), scope=scope, target=target)
diff --git a/heat/engine/stack.py b/heat/engine/stack.py
index fcf2cee683..a91f7e3f4b 100644
--- a/heat/engine/stack.py
+++ b/heat/engine/stack.py
@@ -685,6 +685,8 @@ class Stack(collections.Mapping):
                     (r.CREATE, r.COMPLETE),
                     (r.RESUME, r.IN_PROGRESS),
                     (r.RESUME, r.COMPLETE),
+                    (r.SUSPEND, r.IN_PROGRESS),
+                    (r.SUSPEND, r.COMPLETE),
                     (r.UPDATE, r.IN_PROGRESS),
                     (r.UPDATE, r.COMPLETE)) and
                     (r.FnGetRefId() == refid or r.name == refid)):
diff --git a/heat_integrationtests/functional/test_conditional_exposure.py b/heat_integrationtests/functional/test_conditional_exposure.py
index c1175f178d..77159fe679 100644
--- a/heat_integrationtests/functional/test_conditional_exposure.py
+++ b/heat_integrationtests/functional/test_conditional_exposure.py
@@ -76,6 +76,19 @@ resources:
       ram: 20000
       vcpus: 10
 """
+    fl_tmpl_nested = """
+heat_template_version: 2015-10-15
+resources:
+  not4everyonerg:
+    type: OS::Heat::ResourceGroup
+    properties:
+        count: 1
+        resource_def:
+            type: OS::Nova::Flavor
+            properties:
+              ram: 20000
+              vcpus: 10
+"""
 
     def test_non_admin_forbidden_create_flavors(self):
         """Fail to create Flavor resource w/o admin role.
@@ -95,3 +108,11 @@ resources:
         resources = self.client.resource_types.list()
         self.assertNotIn(self.forbidden_resource_type,
                          (r.resource_type for r in resources))
+
+    def test_non_admin_forbidden_create_flavors_nested(self):
+        stack_name = self._stack_rand_name()
+        ex = self.assertRaises(exc.Forbidden,
+                               self.client.stacks.create,
+                               stack_name=stack_name,
+                               template=self.fl_tmpl_nested)
+        self.assertIn(self.forbidden_resource_type, ex.message)