diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json
index f9d8371a91..e33473d071 100644
--- a/etc/magnum/policy.json
+++ b/etc/magnum/policy.json
@@ -2,7 +2,7 @@
     "context_is_admin":  "role:admin",
     "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
-    "admin_api": "is_admin:True",
+    "admin_api": "rule:context_is_admin",
 
     "bay:create": "rule:default",
     "bay:delete": "rule:default",
diff --git a/magnum/common/context.py b/magnum/common/context.py
index e35bb5522d..de306d9b23 100644
--- a/magnum/common/context.py
+++ b/magnum/common/context.py
@@ -65,6 +65,7 @@ class RequestContext(context.RequestContext):
                       'is_admin': self.is_admin,
                       'is_public_api': self.is_public_api,
                       'read_only': self.read_only,
+                      'roles': self.roles,
                       'show_deleted': self.show_deleted,
                       'request_id': self.request_id,
                       'trust_id': self.trust_id,
diff --git a/magnum/tests/fake_policy.py b/magnum/tests/fake_policy.py
index 8cdd81ac17..10a62d292d 100644
--- a/magnum/tests/fake_policy.py
+++ b/magnum/tests/fake_policy.py
@@ -18,7 +18,7 @@ policy_data = """
     "context_is_admin":  "role:admin",
     "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
-    "admin_api": "is_admin:True",
+    "admin_api": "rule:context_is_admin",
 
     "bay:create": "",
     "bay:delete": "",
diff --git a/magnum/tests/unit/common/test_context.py b/magnum/tests/unit/common/test_context.py
index 61a9f0ed46..1e7f1ceb55 100644
--- a/magnum/tests/unit/common/test_context.py
+++ b/magnum/tests/unit/common/test_context.py
@@ -27,6 +27,7 @@ class ContextTestCase(base.TestCase):
                                              user_id='user-id1',
                                              project_name='tenant1',
                                              project_id='tenant-id1',
+                                             roles=['admin', 'service'],
                                              is_admin=True,
                                              is_public_api=True,
                                              read_only=True,
@@ -46,6 +47,8 @@ class ContextTestCase(base.TestCase):
         self.assertEqual("user-id1", ctx.user_id)
         self.assertEqual("tenant1", ctx.project_name)
         self.assertEqual("tenant-id1", ctx.project_id)
+        for role in ctx.roles:
+            self.assertTrue(role in ['admin', 'service'])
         self.assertTrue(ctx.is_admin)
         self.assertTrue(ctx.is_public_api)
         self.assertTrue(ctx.read_only)
@@ -70,6 +73,7 @@ class ContextTestCase(base.TestCase):
         self.assertEqual(ctx.is_admin, ctx2.is_admin)
         self.assertEqual(ctx.is_public_api, ctx2.is_public_api)
         self.assertEqual(ctx.read_only, ctx2.read_only)
+        self.assertEqual(ctx.roles, ctx2.roles)
         self.assertEqual(ctx.show_deleted, ctx2.show_deleted)
         self.assertEqual(ctx.request_id, ctx2.request_id)
         self.assertEqual(ctx.trust_id, ctx2.trust_id)