diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index fc912bcbb2..188eb0d8e6 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -24,20 +24,6 @@
     "identity:delete_project_tags": "rule:admin_required",
     "identity:update_project_tags": "rule:admin_required",
 
-    "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
-    "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
-    "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
-    "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id",
-    "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
-    "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-
     "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
     "identity:ec2_list_credentials": "rule:admin_required or rule:owner",
     "identity:ec2_create_credential": "rule:admin_required or rule:owner",
diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py
index cc0a897492..79f02897ab 100644
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@@ -255,7 +255,17 @@ class PolicyJsonTestCase(unit.TestCase):
             'identity:get_user',
             'identity:list_users',
             'identity:update_user',
-            'identity:delete_user'
+            'identity:delete_user',
+            'identity:get_group',
+            'identity:list_groups',
+            'identity:list_groups_for_user',
+            'identity:create_group',
+            'identity:update_group',
+            'identity:delete_group',
+            'identity:list_users_in_group',
+            'identity:remove_user_from_group',
+            'identity:check_user_in_group',
+            'identity:add_user_to_group'
         ]
         policy_keys = self._get_default_policy_rules()
         for p in removed_policies:
diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py
index 0ee91c7144..6d3d66666b 100644
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@@ -919,31 +919,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
         self.post('/roles', auth=self.auth, body={'role': role_ref},
                   expected_status=status_created)
 
-    def test_group_management(self):
-        # First, authenticate with a user that does not have the domain
-        # admin role - shouldn't be able to do much.
-        self.auth = self.build_authentication_request(
-            user_id=self.just_a_user['id'],
-            password=self.just_a_user['password'],
-            domain_id=self.domainA['id'])
-
-        self._test_group_management(
-            self.group1, expected=exception.ForbiddenAction.code)
-
-        # ...but should be able to list groups of which they are a member
-        url = '/users/%s/groups' % self.just_a_user['id']
-        self.get(url, auth=self.auth)
-
-        # Now, authenticate with a user that does have the domain admin role
-        self.auth = self.build_authentication_request(
-            user_id=self.domain_admin_user['id'],
-            password=self.domain_admin_user['password'],
-            domain_id=self.domainA['id'])
-
-        self._test_group_management(self.group1)
-        self._test_group_management(self.group3,
-                                    expected=exception.ForbiddenAction.code)
-
     def test_group_management_by_cloud_admin(self):
         # Test groups management with a cloud admin. This user should
         # be able to manage groups in any domain.
diff --git a/releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml b/releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml
new file mode 100644
index 0000000000..ec6d88fc48
--- /dev/null
+++ b/releasenotes/notes/bug-1806762-2092fee9f6c87dc3.yaml
@@ -0,0 +1,15 @@
+---
+upgrade:
+  - |
+    [`bug 1804462 <https://bugs.launchpad.net/keystone/+bug/1804462>`_]
+    The group policies defined in ``policy.v3cloudsample.json`` have
+    been removed. These policies are now obsolete after incorporating
+    system-scope and domain-scope into the groups API and implementing default
+    roles.
+fixes:
+  - |
+    [`bug 1804462 <https://bugs.launchpad.net/keystone/+bug/1804462>`_]
+    The group policies in ``policy.v3cloudsample.json`` policy file
+    have been removed in favor of better defaults in code. These
+    policies weren't tested exhaustively and were misleading to users
+    and operators.