diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index ed8ecdf0bc..a73b900831 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -93,5 +93,24 @@
     "identity:list_roles_for_trust": "",
     "identity:check_role_for_trust": "",
     "identity:get_role_for_trust": "",
-    "identity:delete_trust": ""
+    "identity:delete_trust": "",
+
+    "identity:create_consumer": "rule:admin_required",
+    "identity:get_consumer": "rule:admin_required",
+    "identity:list_consumers": "rule:admin_required",
+    "identity:delete_consumer": "rule:admin_required",
+    "identity:update_consumer": "rule:admin_required",
+
+    "identity:authorize_request_token": "rule:admin_required",
+    "identity:list_access_token_roles": "rule:admin_required",
+    "identity:get_access_token_role": "rule:admin_required",
+    "identity:list_access_tokens": "rule:admin_required",
+    "identity:get_access_token": "rule:admin_required",
+    "identity:delete_access_token": "rule:admin_required",
+
+    "identity:list_projects_for_endpoint": "rule:admin_required",
+    "identity:add_endpoint_to_project": "rule:admin_required",
+    "identity:check_endpoint_in_project": "rule:admin_required",
+    "identity:list_endpoints_for_project": "rule:admin_required",
+    "identity:remove_endpoint_from_project": "rule:admin_required"
 }
diff --git a/keystone/tests/test_policy.py b/keystone/tests/test_policy.py
index cb641bf5b3..cb5ae3ce8a 100644
--- a/keystone/tests/test_policy.py
+++ b/keystone/tests/test_policy.py
@@ -15,10 +15,13 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import json
 import StringIO
 import tempfile
 import urllib2
 
+from testtools import matchers
+
 from keystone import config
 from keystone import exception
 from keystone.openstack.common.fixture import moxstubout
@@ -208,3 +211,18 @@ class DefaultPolicyTestCase(tests.TestCase):
         self._set_rules(new_default_rule)
         self.assertRaises(exception.ForbiddenAction, rules.enforce,
                           self.credentials, "example:noexist", {})
+
+
+class PolicyJsonTestCase(tests.TestCase):
+
+    def _load_entries(self, filename):
+        return set(json.load(file(filename)))
+
+    def test_json_examples_have_matching_entries(self):
+        policy_keys = self._load_entries(tests.etcdir('policy.json'))
+        cloud_policy_keys = self._load_entries(
+            tests.etcdir('policy.v3cloudsample.json'))
+
+        diffs = set(policy_keys).difference(set(cloud_policy_keys))
+
+        self.assertThat(diffs, matchers.Equals(set()))