diff --git a/keystone/common/policies/project_endpoint.py b/keystone/common/policies/project_endpoint.py
index be84474981..a98489f8d3 100644
--- a/keystone/common/policies/project_endpoint.py
+++ b/keystone/common/policies/project_endpoint.py
@@ -16,21 +16,45 @@ from keystone.common.policies import base
 
 project_endpoint_policies = [
 
-    policy.RuleDefault(
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_projects_for_endpoint',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List projects allowed to access an endpoint.',
+        operations=[{'path': ('/v3/OS-EP-FILTER/endpoints/{endpoint_id}/'
+                              'projects'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'add_endpoint_to_project',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Allow project to access an endpoint.',
+        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints/{endpoint_id}'),
+                     'method': 'PUT'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'check_endpoint_in_project',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Check if a project is allowed to access an endpoint.',
+        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints/{endpoint_id}'),
+                     'method': 'GET'},
+                    {'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints/{endpoint_id}'),
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'list_endpoints_for_project',
-        check_str=base.RULE_ADMIN_REQUIRED),
-    policy.RuleDefault(
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='List the endpoints a project is allowed to access.',
+        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints'),
+                     'method': 'GET'}]),
+    policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'remove_endpoint_from_project',
-        check_str=base.RULE_ADMIN_REQUIRED)
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description=('Remove access to an endpoint from a project that has '
+                     'previously been given explicit access.'),
+        operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
+                              'endpoints/{endpoint_id}'),
+                     'method': 'DELETE'}])
 ]