diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json
index e0c768d736..eac6513833 100644
--- a/etc/magnum/policy.json
+++ b/etc/magnum/policy.json
@@ -1,14 +1,6 @@
 {
     "default": "rule:admin_or_owner",
 
-    "baymodel:create": "rule:deny_cluster_user",
-    "baymodel:delete": "rule:deny_cluster_user",
-    "baymodel:detail": "rule:deny_cluster_user",
-    "baymodel:get": "rule:deny_cluster_user",
-    "baymodel:get_all": "rule:deny_cluster_user",
-    "baymodel:update": "rule:deny_cluster_user",
-    "baymodel:publish": "rule:admin_api",
-
     "cluster:create": "rule:deny_cluster_user",
     "cluster:delete": "rule:deny_cluster_user",
     "cluster:detail": "rule:deny_cluster_user",
diff --git a/magnum/common/policies/__init__.py b/magnum/common/policies/__init__.py
index 81d0fe3d4a..5ec120d9a7 100644
--- a/magnum/common/policies/__init__.py
+++ b/magnum/common/policies/__init__.py
@@ -16,10 +16,12 @@ import itertools
 
 from magnum.common.policies import base
 from magnum.common.policies import bay
+from magnum.common.policies import baymodel
 
 
 def list_rules():
     return itertools.chain(
         base.list_rules(),
-        bay.list_rules()
+        bay.list_rules(),
+        baymodel.list_rules()
     )
diff --git a/magnum/common/policies/baymodel.py b/magnum/common/policies/baymodel.py
new file mode 100644
index 0000000000..a238079a9b
--- /dev/null
+++ b/magnum/common/policies/baymodel.py
@@ -0,0 +1,106 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+from magnum.common.policies import base
+
+BAYMODEL = 'baymodel:%s'
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'create',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Create a new baymodel.',
+        operations=[
+            {
+                'path': '/v1/baymodels',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'delete',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Delete a baymodel.',
+        operations=[
+            {
+                'path': '/v1/baymodels/{baymodel_ident}',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'detail',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Retrieve a list of baymodel with detail.',
+        operations=[
+            {
+                'path': '/v1/baymodels',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'get',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Retrieve information about the given baymodel.',
+        operations=[
+            {
+                'path': '/v1/baymodels/{baymodel_ident}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'get_all',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Retrieve a list of baymodel.',
+        operations=[
+            {
+                'path': '/v1/baymodels',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'update',
+        check_str=base.RULE_DENY_CLUSTER_USER,
+        description='Update an existing baymodel.',
+        operations=[
+            {
+                'path': '/v1/baymodels/{baymodel_ident}',
+                'method': 'PATCH'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BAYMODEL % 'publish',
+        check_str=base.RULE_ADMIN_API,
+        description='Publish an existing baymodel.',
+        operations=[
+            {
+                'path': '/v1/baymodels',
+                'method': 'POST'
+            },
+            {
+                'path': '/v1/baymodels',
+                'method': 'PATCH'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules
diff --git a/magnum/tests/fake_policy.py b/magnum/tests/fake_policy.py
index 872923d48a..fc8aba3585 100644
--- a/magnum/tests/fake_policy.py
+++ b/magnum/tests/fake_policy.py
@@ -17,13 +17,6 @@ policy_data = """
 {
     "default": "rule:admin_or_owner",
 
-    "baymodel:create": "",
-    "baymodel:delete": "",
-    "baymodel:detail": "",
-    "baymodel:get": "",
-    "baymodel:get_all": "",
-    "baymodel:update": "",
-
     "cluster:create": "",
     "cluster:delete": "",
     "cluster:detail": "",
diff --git a/magnum/tests/unit/api/controllers/v1/test_baymodel.py b/magnum/tests/unit/api/controllers/v1/test_baymodel.py
index 20324d02d1..a1e208b84b 100644
--- a/magnum/tests/unit/api/controllers/v1/test_baymodel.py
+++ b/magnum/tests/unit/api/controllers/v1/test_baymodel.py
@@ -254,7 +254,9 @@ class TestPatch(api_base.FunctionalTest):
                           [{'path': '/public', 'value': True,
                             'op': 'replace'}])
 
-    def test_update_baymodel_with_bay_allow_update(self):
+    @mock.patch.object(magnum_policy, 'enforce')
+    def test_update_baymodel_with_bay_allow_update(self, mock_policy):
+        mock_policy.return_value = True
         baymodel = obj_utils.create_test_cluster_template(self.context)
         obj_utils.create_test_cluster(self.context,
                                       cluster_template_id=baymodel.uuid)