diff --git a/keystone/common/policies/grant.py b/keystone/common/policies/grant.py
index d99db48748..eaa7269580 100644
--- a/keystone/common/policies/grant.py
+++ b/keystone/common/policies/grant.py
@@ -31,6 +31,14 @@ deprecated_revoke_system_grant_for_user = policy.DeprecatedRule(
     name=base.IDENTITY % 'revoke_system_grant_for_user',
     check_str=base.RULE_ADMIN_REQUIRED
 )
+deprecated_check_system_grant_for_group = policy.DeprecatedRule(
+    name=base.IDENTITY % 'check_system_grant_for_group',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
+deprecated_list_system_grants_for_group = policy.DeprecatedRule(
+    name=base.IDENTITY % 'list_system_grants_for_group',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
 
 DEPRECATED_REASON = """
 As of the Stein release, the system assignment API now understands default
@@ -201,7 +209,7 @@ grant_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_system_grants_for_group',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_READER,
         scope_types=['system'],
         description='List all grants a specific group has on the system.',
         operations=[
@@ -209,11 +217,14 @@ grant_policies = [
                 'path': '/v3/system/groups/{group_id}/roles',
                 'method': ['HEAD', 'GET']
             }
-        ]
+        ],
+        deprecated_rule=deprecated_list_system_grants_for_group,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_system_grant_for_group',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_READER,
         scope_types=['system'],
         description='Check if a group has a role on the system.',
         operations=[
@@ -221,7 +232,10 @@ grant_policies = [
                 'path': '/v3/system/groups/{group_id}/roles/{role_id}',
                 'method': ['HEAD', 'GET']
             }
-        ]
+        ],
+        deprecated_rule=deprecated_check_system_grant_for_group,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN
     ),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_system_grant_for_group',
diff --git a/keystone/tests/unit/protection/v3/test_system_assignments.py b/keystone/tests/unit/protection/v3/test_system_assignments.py
index 60c75a088f..57905fd5ef 100644
--- a/keystone/tests/unit/protection/v3/test_system_assignments.py
+++ b/keystone/tests/unit/protection/v3/test_system_assignments.py
@@ -65,6 +65,42 @@ class _SystemUserSystemAssignmentTests(object):
                 expected_status_code=http_client.NO_CONTENT
             )
 
+    def test_user_can_list_group_system_role_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_group(
+            group['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            r = c.get(
+                '/v3/system/groups/%s/roles' % group['id'],
+                headers=self.headers
+            )
+            self.assertEqual(1, len(r.json['roles']))
+            self.assertEqual(
+                self.bootstrapper.member_role_id, r.json['roles'][0]['id']
+            )
+
+    def test_user_can_check_group_system_role_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_group(
+            group['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.get(
+                '/v3/system/groups/%s/roles/%s' % (
+                    group['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.NO_CONTENT
+            )
+
 
 class _SystemMemberAndReaderSystemAssignmentTests(object):
 
@@ -98,6 +134,36 @@ class _SystemMemberAndReaderSystemAssignmentTests(object):
                 expected_status_code=http_client.FORBIDDEN
             )
 
+    def test_user_cannot_grant_group_system_assignment(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        with self.test_client() as c:
+            c.put(
+                '/v3/system/groups/%s/roles/%s' % (
+                    group['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_revoke_group_system_assignment(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_group(
+            group['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.delete(
+                '/v3/system/groups/%s/roles/%s' % (
+                    group['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
 
 class _DomainAndProjectUserSystemAssignmentTests(object):