diff --git a/etc/policy.json b/etc/policy.json
index 92071425..4aab8d51 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -56,7 +56,9 @@
     "update_network:router:external": "rule:admin_only",
     "delete_network": "rule:admin_or_owner",
 
+    "network_device": "field:port:device_owner=~^network:",
     "create_port": "",
+    "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
     "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
@@ -71,6 +73,7 @@
     "get_port:binding:host_id": "rule:admin_only",
     "get_port:binding:profile": "rule:admin_only",
     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
     "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json
index 92071425..4aab8d51 100644
--- a/neutron/tests/etc/policy.json
+++ b/neutron/tests/etc/policy.json
@@ -56,7 +56,9 @@
     "update_network:router:external": "rule:admin_only",
     "delete_network": "rule:admin_or_owner",
 
+    "network_device": "field:port:device_owner=~^network:",
     "create_port": "",
+    "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
     "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
@@ -71,6 +73,7 @@
     "get_port:binding:host_id": "rule:admin_only",
     "get_port:binding:profile": "rule:admin_only",
     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
+    "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
     "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
     "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",