diff --git a/magnum/api/controllers/v1/bay.py b/magnum/api/controllers/v1/bay.py
index 521fe2b938..f78bdf1599 100644
--- a/magnum/api/controllers/v1/bay.py
+++ b/magnum/api/controllers/v1/bay.py
@@ -371,7 +371,7 @@ class BaysController(base.Controller):
         """
         context = pecan.request.context
         bay = api_utils.get_resource('Cluster', bay_ident)
-        policy.enforce(context, 'bay:get', bay,
+        policy.enforce(context, 'bay:get', bay.as_dict(),
                        action='bay:get')
 
         bay = Bay.convert_with_links(bay)
@@ -478,7 +478,7 @@ class BaysController(base.Controller):
     def _patch(self, bay_ident, patch):
         context = pecan.request.context
         bay = api_utils.get_resource('Cluster', bay_ident)
-        policy.enforce(context, 'bay:update', bay,
+        policy.enforce(context, 'bay:update', bay.as_dict(),
                        action='bay:update')
         try:
             bay_dict = bay.as_dict()
@@ -528,6 +528,6 @@ class BaysController(base.Controller):
     def _delete(self, bay_ident):
         context = pecan.request.context
         bay = api_utils.get_resource('Cluster', bay_ident)
-        policy.enforce(context, 'bay:delete', bay,
+        policy.enforce(context, 'bay:delete', bay.as_dict(),
                        action='bay:delete')
         return bay
diff --git a/magnum/api/controllers/v1/baymodel.py b/magnum/api/controllers/v1/baymodel.py
index 7d7e1a1d46..7e229e43a4 100644
--- a/magnum/api/controllers/v1/baymodel.py
+++ b/magnum/api/controllers/v1/baymodel.py
@@ -312,7 +312,7 @@ class BayModelsController(base.Controller):
         context = pecan.request.context
         baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
         if not baymodel.public:
-            policy.enforce(context, 'baymodel:get', baymodel,
+            policy.enforce(context, 'baymodel:get', baymodel.as_dict(),
                            action='baymodel:get')
 
         return BayModel.convert_with_links(baymodel)
@@ -369,7 +369,7 @@ class BayModelsController(base.Controller):
         """
         context = pecan.request.context
         baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
-        policy.enforce(context, 'baymodel:update', baymodel,
+        policy.enforce(context, 'baymodel:update', baymodel.as_dict(),
                        action='baymodel:update')
         try:
             baymodel_dict = baymodel.as_dict()
@@ -410,6 +410,6 @@ class BayModelsController(base.Controller):
         """
         context = pecan.request.context
         baymodel = api_utils.get_resource('ClusterTemplate', baymodel_ident)
-        policy.enforce(context, 'baymodel:delete', baymodel,
+        policy.enforce(context, 'baymodel:delete', baymodel.as_dict(),
                        action='baymodel:delete')
         baymodel.destroy()
diff --git a/magnum/api/controllers/v1/certificate.py b/magnum/api/controllers/v1/certificate.py
index 6068d12daf..069cf122ae 100644
--- a/magnum/api/controllers/v1/certificate.py
+++ b/magnum/api/controllers/v1/certificate.py
@@ -143,7 +143,7 @@ class CertificateController(base.Controller):
         """
         context = pecan.request.context
         cluster = api_utils.get_resource('Cluster', cluster_ident)
-        policy.enforce(context, 'certificate:get', cluster,
+        policy.enforce(context, 'certificate:get', cluster.as_dict(),
                        action='certificate:get')
         certificate = pecan.request.rpcapi.get_ca_certificate(cluster)
         return Certificate.convert_with_links(certificate)
@@ -156,7 +156,7 @@ class CertificateController(base.Controller):
         """
         context = pecan.request.context
         cluster = certificate.get_cluster()
-        policy.enforce(context, 'certificate:create', cluster,
+        policy.enforce(context, 'certificate:create', cluster.as_dict(),
                        action='certificate:create')
         certificate_dict = certificate.as_dict()
         certificate_dict['project_id'] = context.project_id
@@ -171,7 +171,7 @@ class CertificateController(base.Controller):
     def patch(self, cluster_ident):
         context = pecan.request.context
         cluster = api_utils.get_resource('Cluster', cluster_ident)
-        policy.enforce(context, 'certificate:rotate_ca', cluster,
+        policy.enforce(context, 'certificate:rotate_ca', cluster.as_dict(),
                        action='certificate:rotate_ca')
         if cluster.cluster_template.tls_disabled:
             raise exception.NotSupported("Rotating the CA certificate on a "
diff --git a/magnum/api/controllers/v1/cluster.py b/magnum/api/controllers/v1/cluster.py
index cb998e4766..8a9d55a7d6 100644
--- a/magnum/api/controllers/v1/cluster.py
+++ b/magnum/api/controllers/v1/cluster.py
@@ -345,7 +345,7 @@ class ClustersController(base.Controller):
         """
         context = pecan.request.context
         cluster = api_utils.get_resource('Cluster', cluster_ident)
-        policy.enforce(context, 'cluster:get', cluster,
+        policy.enforce(context, 'cluster:get', cluster.as_dict(),
                        action='cluster:get')
 
         cluster = Cluster.convert_with_links(cluster)
@@ -450,7 +450,7 @@ class ClustersController(base.Controller):
     def _patch(self, cluster_ident, patch):
         context = pecan.request.context
         cluster = api_utils.get_resource('Cluster', cluster_ident)
-        policy.enforce(context, 'cluster:update', cluster,
+        policy.enforce(context, 'cluster:update', cluster.as_dict(),
                        action='cluster:update')
         try:
             cluster_dict = cluster.as_dict()
@@ -484,7 +484,7 @@ class ClustersController(base.Controller):
         """
         context = pecan.request.context
         cluster = api_utils.get_resource('Cluster', cluster_ident)
-        policy.enforce(context, 'cluster:delete', cluster,
+        policy.enforce(context, 'cluster:delete', cluster.as_dict(),
                        action='cluster:delete')
 
         pecan.request.rpcapi.cluster_delete_async(cluster.uuid)
diff --git a/magnum/api/controllers/v1/cluster_template.py b/magnum/api/controllers/v1/cluster_template.py
index 58d896a96c..cc95bfcfe9 100644
--- a/magnum/api/controllers/v1/cluster_template.py
+++ b/magnum/api/controllers/v1/cluster_template.py
@@ -320,7 +320,8 @@ class ClusterTemplatesController(base.Controller):
         cluster_template = api_utils.get_resource('ClusterTemplate',
                                                   cluster_template_ident)
         if not cluster_template.public:
-            policy.enforce(context, 'clustertemplate:get', cluster_template,
+            policy.enforce(context, 'clustertemplate:get',
+                           cluster_template.as_dict(),
                            action='clustertemplate:get')
 
         return ClusterTemplate.convert_with_links(cluster_template)
@@ -383,7 +384,8 @@ class ClusterTemplatesController(base.Controller):
         context = pecan.request.context
         cluster_template = api_utils.get_resource('ClusterTemplate',
                                                   cluster_template_ident)
-        policy.enforce(context, 'clustertemplate:update', cluster_template,
+        policy.enforce(context, 'clustertemplate:update',
+                       cluster_template.as_dict(),
                        action='clustertemplate:update')
         try:
             cluster_template_dict = cluster_template.as_dict()
@@ -427,6 +429,7 @@ class ClusterTemplatesController(base.Controller):
         context = pecan.request.context
         cluster_template = api_utils.get_resource('ClusterTemplate',
                                                   cluster_template_ident)
-        policy.enforce(context, 'clustertemplate:delete', cluster_template,
+        policy.enforce(context, 'clustertemplate:delete',
+                       cluster_template.as_dict(),
                        action='clustertemplate:delete')
         cluster_template.destroy()