diff --git a/etc/policy.json b/etc/policy.json
index d9711a2c31..ebb94b02d0 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -6,6 +6,7 @@
     "admin_or_owner": "rule:admin_required or rule:owner",
     "token_subject": "user_id:%(target.token.user_id)s",
     "admin_or_token_subject": "rule:admin_required or rule:token_subject",
+    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
 
     "default": "rule:admin_required",
 
@@ -88,8 +89,8 @@
     "identity:update_policy": "rule:admin_required",
     "identity:delete_policy": "rule:admin_required",
 
-    "identity:check_token": "rule:admin_required",
-    "identity:validate_token": "rule:service_or_admin",
+    "identity:check_token": "rule:admin_or_token_subject",
+    "identity:validate_token": "rule:service_admin_or_token_subject",
     "identity:validate_token_head": "rule:service_or_admin",
     "identity:revocation_list": "rule:service_or_admin",
     "identity:revoke_token": "rule:admin_or_token_subject",
diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index 2355a17307..fcf61ed7c2 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -7,6 +7,7 @@
     "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
     "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
     "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
+    "service_admin_or_owner": "rule:service_or_admin or rule:owner",
 
     "default": "rule:admin_required",
 
@@ -100,7 +101,7 @@
 
     "identity:change_password": "rule:owner",
     "identity:check_token": "rule:admin_or_owner",
-    "identity:validate_token": "rule:service_or_admin",
+    "identity:validate_token": "rule:service_admin_or_owner",
     "identity:validate_token_head": "rule:service_or_admin",
     "identity:revocation_list": "rule:service_or_admin",
     "identity:revoke_token": "rule:admin_or_owner",
diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py
index 9d51b41fb2..70e8b124ed 100644
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@@ -224,6 +224,7 @@ class PolicyJsonTestCase(tests.TestCase):
             tests.dirs.etc('policy.v3cloudsample.json'))
 
         policy_extra_keys = ['admin_or_token_subject',
+                             'service_admin_or_token_subject',
                              'token_subject', ]
         expected_policy_keys = list(cloud_policy_keys) + policy_extra_keys
         diffs = set(policy_keys).difference(set(expected_policy_keys))
diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py
index 6f1c9ebb36..155174e041 100644
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@@ -391,23 +391,18 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
         # Given a non-admin user token, the token can be used to validate
         # itself.
         # This is GET /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
-        # FIXME(blk-u): This test fails, a user can't validate their own token,
-        # see bug 1421825.
 
         auth = self.build_authentication_request(
             user_id=self.just_a_user['id'],
             password=self.just_a_user['password'])
         token = self.get_requested_token(auth)
 
-        # FIXME(blk-u): remove expected_status=403.
         self.get('/auth/tokens', token=token,
-                 headers={'X-Subject-Token': token}, expected_status=403)
+                 headers={'X-Subject-Token': token})
 
     def test_user_validate_user_token(self):
         # A user can validate one of their own tokens.
         # This is GET /v3/auth/tokens
-        # FIXME(blk-u): This test fails, a user can't validate their own token,
-        # see bug 1421825.
 
         auth = self.build_authentication_request(
             user_id=self.just_a_user['id'],
@@ -415,9 +410,8 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
         token1 = self.get_requested_token(auth)
         token2 = self.get_requested_token(auth)
 
-        # FIXME(blk-u): remove expected_status=403.
         self.get('/auth/tokens', token=token1,
-                 headers={'X-Subject-Token': token2}, expected_status=403)
+                 headers={'X-Subject-Token': token2})
 
     def test_user_validate_other_user_token_rejected(self):
         # A user cannot validate another user's token.
@@ -458,23 +452,18 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
         # Given a non-admin user token, the token can be used to check
         # itself.
         # This is HEAD /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
-        # FIXME(blk-u): This test fails, a user can't check the same token,
-        # see bug 1421825.
 
         auth = self.build_authentication_request(
             user_id=self.just_a_user['id'],
             password=self.just_a_user['password'])
         token = self.get_requested_token(auth)
 
-        # FIXME(blk-u): change to expected_status=200
         self.head('/auth/tokens', token=token,
-                  headers={'X-Subject-Token': token}, expected_status=403)
+                  headers={'X-Subject-Token': token}, expected_status=200)
 
     def test_user_check_user_token(self):
         # A user can check one of their own tokens.
         # This is HEAD /v3/auth/tokens
-        # FIXME(blk-u): This test fails, a user can't check the same token,
-        # see bug 1421825.
 
         auth = self.build_authentication_request(
             user_id=self.just_a_user['id'],
@@ -482,9 +471,8 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
         token1 = self.get_requested_token(auth)
         token2 = self.get_requested_token(auth)
 
-        # FIXME(blk-u): change to expected_status=200
         self.head('/auth/tokens', token=token1,
-                  headers={'X-Subject-Token': token2}, expected_status=403)
+                  headers={'X-Subject-Token': token2}, expected_status=200)
 
     def test_user_check_other_user_token_rejected(self):
         # A user cannot check another user's token.
@@ -976,23 +964,18 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
         # Given a non-admin user token, the token can be used to validate
         # itself.
         # This is GET /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
-        # FIXME(blk-u): This test fails, a user can't validate their own token,
-        # see bug 1421825.
 
         auth = self.build_authentication_request(
             user_id=self.just_a_user['id'],
             password=self.just_a_user['password'])
         token = self.get_requested_token(auth)
 
-        # FIXME(blk-u): remove expected_status=403.
         self.get('/auth/tokens', token=token,
-                 headers={'X-Subject-Token': token}, expected_status=403)
+                 headers={'X-Subject-Token': token})
 
     def test_user_validate_user_token(self):
         # A user can validate one of their own tokens.
         # This is GET /v3/auth/tokens
-        # FIXME(blk-u): This test fails, a user can't validate their own token,
-        # see bug 1421825.
 
         auth = self.build_authentication_request(
             user_id=self.just_a_user['id'],
@@ -1000,9 +983,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
         token1 = self.get_requested_token(auth)
         token2 = self.get_requested_token(auth)
 
-        # FIXME(blk-u): remove expected_status=403.
         self.get('/auth/tokens', token=token1,
-                 headers={'X-Subject-Token': token2}, expected_status=403)
+                 headers={'X-Subject-Token': token2})
 
     def test_user_validate_other_user_token_rejected(self):
         # A user cannot validate another user's token.