diff --git a/etc/policy.json b/etc/policy.json
index c551eb81..897ca5ce 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -4,7 +4,7 @@
     "admin_or_owner": "rule:context_is_admin or rule:owner",
     "context_is_advsvc":  "role:advsvc",
     "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
-    "admin_owner_or_network_owner": "rule:admin_or_network_owner or rule:owner",
+    "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
     "admin_only": "rule:context_is_admin",
     "regular_user": "",
     "shared": "field:networks:shared=True",
@@ -60,30 +60,30 @@
 
     "network_device": "field:port:device_owner=~^network:",
     "create_port": "",
-    "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
-    "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
-    "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
-    "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:binding:host_id": "rule:admin_only",
     "create_port:binding:profile": "rule:admin_only",
-    "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "get_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
+    "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
     "get_port:queue_id": "rule:admin_only",
     "get_port:binding:vif_type": "rule:admin_only",
     "get_port:binding:vif_details": "rule:admin_only",
     "get_port:binding:host_id": "rule:admin_only",
     "get_port:binding:profile": "rule:admin_only",
     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
-    "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
+    "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
-    "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
-    "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:binding:host_id": "rule:admin_only",
     "update_port:binding:profile": "rule:admin_only",
-    "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "delete_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
+    "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
 
     "get_router:ha": "rule:admin_only",
     "create_router": "rule:regular_user",
diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json
index c551eb81..897ca5ce 100644
--- a/neutron/tests/etc/policy.json
+++ b/neutron/tests/etc/policy.json
@@ -4,7 +4,7 @@
     "admin_or_owner": "rule:context_is_admin or rule:owner",
     "context_is_advsvc":  "role:advsvc",
     "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s",
-    "admin_owner_or_network_owner": "rule:admin_or_network_owner or rule:owner",
+    "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner",
     "admin_only": "rule:context_is_admin",
     "regular_user": "",
     "shared": "field:networks:shared=True",
@@ -60,30 +60,30 @@
 
     "network_device": "field:port:device_owner=~^network:",
     "create_port": "",
-    "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
-    "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
-    "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
-    "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:binding:host_id": "rule:admin_only",
     "create_port:binding:profile": "rule:admin_only",
-    "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "get_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
+    "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
     "get_port:queue_id": "rule:admin_only",
     "get_port:binding:vif_type": "rule:admin_only",
     "get_port:binding:vif_details": "rule:admin_only",
     "get_port:binding:host_id": "rule:admin_only",
     "get_port:binding:profile": "rule:admin_only",
     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
-    "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
+    "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
-    "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
-    "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:binding:host_id": "rule:admin_only",
     "update_port:binding:profile": "rule:admin_only",
-    "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
-    "delete_port": "rule:admin_owner_or_network_owner or rule:context_is_advsvc",
+    "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
 
     "get_router:ha": "rule:admin_only",
     "create_router": "rule:regular_user",