diff --git a/openstack_dashboard/conf/neutron_policy.json b/openstack_dashboard/conf/neutron_policy.json
index 79f0b6b33f..36b1622504 100644
--- a/openstack_dashboard/conf/neutron_policy.json
+++ b/openstack_dashboard/conf/neutron_policy.json
@@ -1,107 +1,140 @@
 {
     "context_is_admin":  "role:admin",
-    "admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s",
-    "admin_or_network_owner": "rule:context_is_admin or project_id:%(network:project_id)s",
+    "owner": "tenant_id:%(tenant_id)s",
+    "admin_or_owner": "rule:context_is_admin or rule:owner",
+    "context_is_advsvc":  "role:advsvc",
+    "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
+    "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
     "admin_only": "rule:context_is_admin",
     "regular_user": "",
     "shared": "field:networks:shared=True",
     "shared_firewalls": "field:firewalls:shared=True",
+    "shared_firewall_policies": "field:firewall_policies:shared=True",
+    "shared_subnetpools": "field:subnetpools:shared=True",
+    "shared_address_scopes": "field:address_scopes:shared=True",
     "external": "field:networks:router:external=True",
     "default": "rule:admin_or_owner",
 
-    "subnets:private:read": "rule:admin_or_owner",
-    "subnets:private:write": "rule:admin_or_owner",
-    "subnets:shared:read": "rule:regular_user",
-    "subnets:shared:write": "rule:admin_only",
-
     "create_subnet": "rule:admin_or_network_owner",
+    "create_subnet:segment_id": "rule:admin_only",
     "get_subnet": "rule:admin_or_owner or rule:shared",
+    "get_subnet:segment_id": "rule:admin_only",
     "update_subnet": "rule:admin_or_network_owner",
     "delete_subnet": "rule:admin_or_network_owner",
 
+    "create_subnetpool": "",
+    "create_subnetpool:shared": "rule:admin_only",
+    "create_subnetpool:is_default": "rule:admin_only",
+    "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools",
+    "update_subnetpool": "rule:admin_or_owner",
+    "update_subnetpool:is_default": "rule:admin_only",
+    "delete_subnetpool": "rule:admin_or_owner",
+
+    "create_address_scope": "",
+    "create_address_scope:shared": "rule:admin_only",
+    "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes",
+    "update_address_scope": "rule:admin_or_owner",
+    "update_address_scope:shared": "rule:admin_only",
+    "delete_address_scope": "rule:admin_or_owner",
+
     "create_network": "",
-    "get_network": "rule:admin_or_owner or rule:shared or rule:external",
+    "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
     "get_network:router:external": "rule:regular_user",
     "get_network:segments": "rule:admin_only",
     "get_network:provider:network_type": "rule:admin_only",
     "get_network:provider:physical_network": "rule:admin_only",
     "get_network:provider:segmentation_id": "rule:admin_only",
     "get_network:queue_id": "rule:admin_only",
+    "get_network_ip_availabilities": "rule:admin_only",
+    "get_network_ip_availability": "rule:admin_only",
     "create_network:shared": "rule:admin_only",
     "create_network:router:external": "rule:admin_only",
+    "create_network:is_default": "rule:admin_only",
     "create_network:segments": "rule:admin_only",
     "create_network:provider:network_type": "rule:admin_only",
     "create_network:provider:physical_network": "rule:admin_only",
     "create_network:provider:segmentation_id": "rule:admin_only",
     "update_network": "rule:admin_or_owner",
     "update_network:segments": "rule:admin_only",
+    "update_network:shared": "rule:admin_only",
     "update_network:provider:network_type": "rule:admin_only",
     "update_network:provider:physical_network": "rule:admin_only",
     "update_network:provider:segmentation_id": "rule:admin_only",
+    "update_network:router:external": "rule:admin_only",
     "delete_network": "rule:admin_or_owner",
 
+    "create_segment": "rule:admin_only",
+    "get_segment": "rule:admin_only",
+    "update_segment": "rule:admin_only",
+    "delete_segment": "rule:admin_only",
+
+    "network_device": "field:port:device_owner=~^network:",
     "create_port": "",
-    "create_port:mac_address": "rule:admin_or_network_owner",
-    "create_port:fixed_ips": "rule:admin_or_network_owner",
-    "create_port:port_security_enabled": "rule:admin_or_network_owner",
+    "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:binding:host_id": "rule:admin_only",
     "create_port:binding:profile": "rule:admin_only",
-    "create_port:mac_learning_enabled": "rule:admin_or_network_owner",
-    "get_port": "rule:admin_or_owner",
+    "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
+    "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
     "get_port:queue_id": "rule:admin_only",
     "get_port:binding:vif_type": "rule:admin_only",
-    "get_port:binding:capabilities": "rule:admin_only",
+    "get_port:binding:vif_details": "rule:admin_only",
     "get_port:binding:host_id": "rule:admin_only",
     "get_port:binding:profile": "rule:admin_only",
-    "update_port": "rule:admin_or_owner",
-    "update_port:fixed_ips": "rule:admin_or_network_owner",
-    "update_port:port_security_enabled": "rule:admin_or_network_owner",
+    "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
+    "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:binding:host_id": "rule:admin_only",
     "update_port:binding:profile": "rule:admin_only",
-    "update_port:mac_learning_enabled": "rule:admin_or_network_owner",
-    "delete_port": "rule:admin_or_owner",
+    "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
+    "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
 
+    "get_router:ha": "rule:admin_only",
+    "create_router": "rule:regular_user",
     "create_router:external_gateway_info:enable_snat": "rule:admin_only",
+    "create_router:distributed": "rule:admin_only",
+    "create_router:ha": "rule:admin_only",
+    "get_router": "rule:admin_or_owner",
+    "get_router:distributed": "rule:admin_only",
     "update_router:external_gateway_info:enable_snat": "rule:admin_only",
+    "update_router:distributed": "rule:admin_only",
+    "update_router:ha": "rule:admin_only",
+    "delete_router": "rule:admin_or_owner",
 
-    "create_ikepolicy": "rule:admin_or_owner",
-    "update_ikepolicy": "rule:admin_or_owner",
-    "delete_ikepolicy": "rule:admin_or_owner",
+    "add_router_interface": "rule:admin_or_owner",
+    "remove_router_interface": "rule:admin_or_owner",
 
-    "create_ipsecpolicy": "rule:admin_or_owner",
-    "update_ipsecpolicy": "rule:admin_or_owner",
-    "delete_ipsecpolicy": "rule:admin_or_owner",
-
-    "create_vpnservice": "rule:admin_or_owner",
-    "update_vpnservice": "rule:admin_or_owner",
-    "delete_vpnservice": "rule:admin_or_owner",
-
-    "create_ipsec_site_connection": "rule:admin_or_owner",
-    "update_ipsec_site_connection": "rule:admin_or_owner",
-    "delete_ipsec_site_connection": "rule:admin_or_owner",
+    "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
+    "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only",
 
     "create_firewall": "",
     "get_firewall": "rule:admin_or_owner",
     "create_firewall:shared": "rule:admin_only",
     "get_firewall:shared": "rule:admin_only",
     "update_firewall": "rule:admin_or_owner",
+    "update_firewall:shared": "rule:admin_only",
     "delete_firewall": "rule:admin_or_owner",
 
     "create_firewall_policy": "",
-    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
+    "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
     "create_firewall_policy:shared": "rule:admin_or_owner",
     "update_firewall_policy": "rule:admin_or_owner",
     "delete_firewall_policy": "rule:admin_or_owner",
 
-    "create_firewall_rule": "",
-    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
-    "create_firewall_rule:shared": "rule:admin_or_owner",
-    "get_firewall_rule:shared": "rule:admin_or_owner",
-    "update_firewall_rule": "rule:admin_or_owner",
-    "delete_firewall_rule": "rule:admin_or_owner",
     "insert_rule": "rule:admin_or_owner",
     "remove_rule": "rule:admin_or_owner",
 
+    "create_firewall_rule": "",
+    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
+    "update_firewall_rule": "rule:admin_or_owner",
+    "delete_firewall_rule": "rule:admin_or_owner",
+
     "create_qos_queue": "rule:admin_only",
     "get_qos_queue": "rule:admin_only",
 
@@ -119,40 +152,11 @@
     "get_l3-agents": "rule:admin_only",
     "get_loadbalancer-agent": "rule:admin_only",
     "get_loadbalancer-pools": "rule:admin_only",
-
-    "create_pool": "rule:admin_or_owner",
-    "update_pool": "rule:admin_or_owner",
-    "delete_pool": "rule:admin_or_owner",
-
-    "create_vip": "rule:admin_or_owner",
-    "update_vip": "rule:admin_or_owner",
-    "delete_vip": "rule:admin_or_owner",
-
-    "create_member": "rule:admin_or_owner",
-    "update_member": "rule:admin_or_owner",
-    "delete_member": "rule:admin_or_owner",
-
-    "create_health_monitor": "rule:admin_or_owner",
-    "update_health_monitor": "rule:admin_or_owner",
-    "delete_health_monitor": "rule:admin_or_owner",
-
-    "create_pool_health_monitor": "rule:admin_or_owner",
-    "delete_pool_health_monitor": "rule:admin_or_owner",
-
-    "create_router": "rule:regular_user",
-    "get_router": "rule:admin_or_owner",
-    "update_router": "rule:admin_or_owner",
-    "add_router_interface": "rule:admin_or_owner",
-    "remove_router_interface": "rule:admin_or_owner",
-    "delete_router": "rule:admin_or_owner",
-    "get_router:distributed": "rule:admin_only",
-    "create_router:distributed": "rule:admin_only",
-    "update_router:distributed": "rule:admin_only",
-    "get_router:ha": "rule:admin_only",
-    "create_router:ha": "rule:admin_only",
-    "update_router:ha": "rule:admin_only",
+    "get_agent-loadbalancers": "rule:admin_only",
+    "get_loadbalancer-hosting-agent": "rule:admin_only",
 
     "create_floatingip": "rule:regular_user",
+    "create_floatingip:floating_ip_address": "rule:admin_only",
     "update_floatingip": "rule:admin_or_owner",
     "delete_floatingip": "rule:admin_or_owner",
     "get_floatingip": "rule:admin_or_owner",
@@ -174,5 +178,45 @@
     "delete_metering_label_rule": "rule:admin_only",
     "get_metering_label_rule": "rule:admin_only",
 
-    "get_service_provider": "rule:regular_user"
+    "get_service_provider": "rule:regular_user",
+    "get_lsn": "rule:admin_only",
+    "create_lsn": "rule:admin_only",
+
+    "create_flavor": "rule:admin_only",
+    "update_flavor": "rule:admin_only",
+    "delete_flavor": "rule:admin_only",
+    "get_flavors": "rule:regular_user",
+    "get_flavor": "rule:regular_user",
+    "create_service_profile": "rule:admin_only",
+    "update_service_profile": "rule:admin_only",
+    "delete_service_profile": "rule:admin_only",
+    "get_service_profiles": "rule:admin_only",
+    "get_service_profile": "rule:admin_only",
+
+    "get_policy": "rule:regular_user",
+    "create_policy": "rule:admin_only",
+    "update_policy": "rule:admin_only",
+    "delete_policy": "rule:admin_only",
+    "get_policy_bandwidth_limit_rule": "rule:regular_user",
+    "create_policy_bandwidth_limit_rule": "rule:admin_only",
+    "delete_policy_bandwidth_limit_rule": "rule:admin_only",
+    "update_policy_bandwidth_limit_rule": "rule:admin_only",
+    "get_policy_dscp_marking_rule": "rule:regular_user",
+    "create_policy_dscp_marking_rule": "rule:admin_only",
+    "delete_policy_dscp_marking_rule": "rule:admin_only",
+    "update_policy_dscp_marking_rule": "rule:admin_only",
+    "get_rule_type": "rule:regular_user",
+
+    "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only",
+    "create_rbac_policy": "",
+    "create_rbac_policy:target_tenant": "rule:restrict_wildcard",
+    "update_rbac_policy": "rule:admin_or_owner",
+    "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner",
+    "get_rbac_policy": "rule:admin_or_owner",
+    "delete_rbac_policy": "rule:admin_or_owner",
+
+    "create_flavor_service_profile": "rule:admin_only",
+    "delete_flavor_service_profile": "rule:admin_only",
+    "get_flavor_service_profile": "rule:regular_user",
+    "get_auto_allocated_topology": "rule:admin_or_owner"
 }
diff --git a/openstack_dashboard/dashboards/admin/networks/tests.py b/openstack_dashboard/dashboards/admin/networks/tests.py
index 89615027c1..d54b7a3b2a 100644
--- a/openstack_dashboard/dashboards/admin/networks/tests.py
+++ b/openstack_dashboard/dashboards/admin/networks/tests.py
@@ -622,8 +622,8 @@ class NetworkTests(test.BaseAdminViewTests):
     @test.create_stubs({api.neutron: ('network_get',)})
     def test_network_update_get(self):
         network = self.networks.first()
-        api.neutron.network_get(IsA(http.HttpRequest), network.id)\
-            .AndReturn(network)
+        api.neutron.network_get(IsA(http.HttpRequest), network.id,
+                                expand_subnet=False).AndReturn(network)
 
         self.mox.ReplayAll()
 
@@ -657,8 +657,8 @@ class NetworkTests(test.BaseAdminViewTests):
         api.neutron.network_update(IsA(http.HttpRequest), network.id,
                                    **params)\
             .AndReturn(network)
-        api.neutron.network_get(IsA(http.HttpRequest), network.id)\
-            .AndReturn(network)
+        api.neutron.network_get(IsA(http.HttpRequest), network.id,
+                                expand_subnet=False).AndReturn(network)
         self.mox.ReplayAll()
 
         form_data = {'network_id': network.id,
@@ -683,8 +683,8 @@ class NetworkTests(test.BaseAdminViewTests):
         api.neutron.network_update(IsA(http.HttpRequest), network.id,
                                    **params)\
             .AndRaise(self.exceptions.neutron)
-        api.neutron.network_get(IsA(http.HttpRequest), network.id)\
-            .AndReturn(network)
+        api.neutron.network_get(IsA(http.HttpRequest), network.id,
+                                expand_subnet=False).AndReturn(network)
         self.mox.ReplayAll()
 
         form_data = {'network_id': network.id,
diff --git a/openstack_dashboard/dashboards/project/networks/subnets/tables.py b/openstack_dashboard/dashboards/project/networks/subnets/tables.py
index c5dc55d939..e4676b09f9 100644
--- a/openstack_dashboard/dashboards/project/networks/subnets/tables.py
+++ b/openstack_dashboard/dashboards/project/networks/subnets/tables.py
@@ -50,6 +50,8 @@ class SubnetPolicyTargetMixin(policy.PolicyTargetMixin):
         policy_target = super(SubnetPolicyTargetMixin, self)\
             .get_policy_target(request, datum)
         network = self.table._get_network()
+        # neutron switched policy target values, we'll support both
+        policy_target["network:tenant_id"] = network.tenant_id
         policy_target["network:project_id"] = network.tenant_id
         return policy_target
 
diff --git a/openstack_dashboard/dashboards/project/networks/tables.py b/openstack_dashboard/dashboards/project/networks/tables.py
index e3cd0de19d..95b5fa6c9b 100644
--- a/openstack_dashboard/dashboards/project/networks/tables.py
+++ b/openstack_dashboard/dashboards/project/networks/tables.py
@@ -123,7 +123,9 @@ class CreateSubnet(policy.PolicyTargetMixin, CheckNetworkEditable,
     classes = ("ajax-modal",)
     icon = "plus"
     policy_rules = (("network", "create_subnet"),)
-    policy_target_attrs = (("network:project_id", "tenant_id"),)
+    # neutron has used both in their policy files, supporting both
+    policy_target_attrs = (("network:tenant_id", "tenant_id"),
+                           ("network:project_id", "tenant_id"),)
 
     def allowed(self, request, datum=None):
         usages = quotas.tenant_quota_usages(request)
diff --git a/openstack_dashboard/dashboards/project/networks/tests.py b/openstack_dashboard/dashboards/project/networks/tests.py
index f74dde6e6d..5c83ff834c 100644
--- a/openstack_dashboard/dashboards/project/networks/tests.py
+++ b/openstack_dashboard/dashboards/project/networks/tests.py
@@ -1056,9 +1056,8 @@ class NetworkTests(test.TestCase, NetworkStubMixin):
     @test.create_stubs({api.neutron: ('network_get',)})
     def test_network_update_get(self):
         network = self.networks.first()
-        api.neutron.network_get(IsA(http.HttpRequest), network.id)\
-            .AndReturn(network)
-
+        api.neutron.network_get(IsA(http.HttpRequest), network.id,
+                                expand_subnet=False).AndReturn(network)
         self.mox.ReplayAll()
 
         url = reverse('horizon:project:networks:update', args=[network.id])
@@ -1089,8 +1088,8 @@ class NetworkTests(test.TestCase, NetworkStubMixin):
                                    admin_state_up=network.admin_state_up,
                                    shared=network.shared)\
             .AndReturn(network)
-        api.neutron.network_get(IsA(http.HttpRequest), network.id)\
-            .AndReturn(network)
+        api.neutron.network_get(IsA(http.HttpRequest), network.id,
+                                expand_subnet=False).AndReturn(network)
         self.mox.ReplayAll()
 
         form_data = {'network_id': network.id,
@@ -1107,13 +1106,13 @@ class NetworkTests(test.TestCase, NetworkStubMixin):
                                       'network_get',)})
     def test_network_update_post_exception(self):
         network = self.networks.first()
+        api.neutron.network_get(IsA(http.HttpRequest), network.id,
+                                expand_subnet=False).AndReturn(network)
         api.neutron.network_update(IsA(http.HttpRequest), network.id,
                                    name=network.name,
                                    admin_state_up=network.admin_state_up,
                                    shared=False)\
             .AndRaise(self.exceptions.neutron)
-        api.neutron.network_get(IsA(http.HttpRequest), network.id)\
-            .AndReturn(network)
         self.mox.ReplayAll()
 
         form_data = {'network_id': network.id,
diff --git a/openstack_dashboard/dashboards/project/networks/views.py b/openstack_dashboard/dashboards/project/networks/views.py
index 2a74746ff2..236c6e2fa1 100644
--- a/openstack_dashboard/dashboards/project/networks/views.py
+++ b/openstack_dashboard/dashboards/project/networks/views.py
@@ -97,7 +97,10 @@ class UpdateView(forms.ModalFormView):
     def _get_object(self, *args, **kwargs):
         network_id = self.kwargs['network_id']
         try:
-            return api.neutron.network_get(self.request, network_id)
+            # no subnet values are read or editable in this view, so
+            # save the subnet expansion overhead
+            return api.neutron.network_get(self.request, network_id,
+                                           expand_subnet=False)
         except Exception:
             redirect = self.success_url
             msg = _('Unable to retrieve network details.')
diff --git a/openstack_dashboard/policy.py b/openstack_dashboard/policy.py
index 6bcb2242c7..8f8c1733f0 100644
--- a/openstack_dashboard/policy.py
+++ b/openstack_dashboard/policy.py
@@ -39,6 +39,7 @@ class PolicyTargetMixin(object):
     """
 
     policy_target_attrs = (("project_id", "tenant_id"),
+                           ("tenant_id", "tenant_id"),
                            ("user_id", "user_id"),
                            ("domain_id", "domain_id"),
                            ("target.project.domain_id", "domain_id"),