diff --git a/api-ref/source/v2/parameters.yaml b/api-ref/source/v2/parameters.yaml
index 805ed7792..f76ee975b 100644
--- a/api-ref/source/v2/parameters.yaml
+++ b/api-ref/source/v2/parameters.yaml
@@ -877,15 +877,17 @@ not-tags-query:
 object_id-query:
   description: |
     Filter the RBAC policy list result by the ID of the ``object_type``
-    resource. An ``object_type`` of ``network`` returns a network ID and
-    an ``object_type`` of ``qos-policy`` returns a QoS policy ID.
+    resource. An ``object_type`` of ``network`` returns a network ID,
+    an ``object_type`` of ``qos-policy`` returns a QoS policy ID, and
+    an ``object_type`` of ``security-group`` returns a security group ID.
   in: query
   required: false
   type: string
 object_type-query:
   description: |
     Filter the RBAC policy list result by the type of the object that the
-    RBAC policy affects. Types include ``qos-policy`` or ``network``.
+    RBAC policy affects. Types include ``qos-policy``, ``network``, or
+    ``security-group``.
   in: query
   required: false
   type: string
diff --git a/api-ref/source/v2/rbac-policy.inc b/api-ref/source/v2/rbac-policy.inc
index eb4404d9e..73140061c 100644
--- a/api-ref/source/v2/rbac-policy.inc
+++ b/api-ref/source/v2/rbac-policy.inc
@@ -6,6 +6,9 @@ RBAC Policies
 
 Lists, shows details for, creates, updates, and deletes RBAC policies.
 
+The presence of the ``rbac-security-groups`` extension extends this
+API to support object types of ``security_group``.
+
 Show RBAC policy details
 ========================
 
diff --git a/neutron_lib/api/definitions/__init__.py b/neutron_lib/api/definitions/__init__.py
index 4296ece5c..a4b58948b 100644
--- a/neutron_lib/api/definitions/__init__.py
+++ b/neutron_lib/api/definitions/__init__.py
@@ -81,6 +81,7 @@ from neutron_lib.api.definitions import qos_default
 from neutron_lib.api.definitions import qos_gateway_ip
 from neutron_lib.api.definitions import qos_rule_type_details
 from neutron_lib.api.definitions import qos_rules_alias
+from neutron_lib.api.definitions import rbac_security_groups
 from neutron_lib.api.definitions import revisionifmatch
 from neutron_lib.api.definitions import router_availability_zone
 from neutron_lib.api.definitions import router_interface_fip
@@ -179,6 +180,7 @@ _ALL_API_DEFINITIONS = {
     qos_gateway_ip,
     qos_rule_type_details,
     qos_rules_alias,
+    rbac_security_groups,
     revisionifmatch,
     router_availability_zone,
     router_interface_fip,
diff --git a/neutron_lib/api/definitions/base.py b/neutron_lib/api/definitions/base.py
index c530b150a..66c8932db 100644
--- a/neutron_lib/api/definitions/base.py
+++ b/neutron_lib/api/definitions/base.py
@@ -123,6 +123,7 @@ KNOWN_EXTENSIONS = (
     'qos-rules-alias',
     'quotas',
     'rbac-policies',
+    'rbac-security-groups',
     'router',
     'router_availability_zone',
     'security-group',
diff --git a/neutron_lib/api/definitions/rbac_security_groups.py b/neutron_lib/api/definitions/rbac_security_groups.py
new file mode 100644
index 000000000..8e2979cd7
--- /dev/null
+++ b/neutron_lib/api/definitions/rbac_security_groups.py
@@ -0,0 +1,24 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+ALIAS = 'rbac-security-groups'
+IS_SHIM_EXTENSION = True
+IS_STANDARD_ATTR_EXTENSION = False
+NAME = 'Add security_group type to network RBAC'
+DESCRIPTION = 'Add security_group type to network RBAC'
+UPDATED_TIMESTAMP = '2019-02-14T00:00:00-00:00'
+RESOURCE_ATTRIBUTE_MAP = {}
+SUB_RESOURCE_ATTRIBUTE_MAP = {}
+ACTION_MAP = {}
+REQUIRED_EXTENSIONS = ['rbac-policies', 'security-group']
+OPTIONAL_EXTENSIONS = []
+ACTION_STATUS = {}
diff --git a/neutron_lib/tests/unit/api/definitions/test_rbac_security_groups.py b/neutron_lib/tests/unit/api/definitions/test_rbac_security_groups.py
new file mode 100644
index 000000000..9d9589c86
--- /dev/null
+++ b/neutron_lib/tests/unit/api/definitions/test_rbac_security_groups.py
@@ -0,0 +1,18 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from neutron_lib.api.definitions import rbac_security_groups
+from neutron_lib.tests.unit.api.definitions import base
+
+
+class RbacSecurityGroupsDefinitionTestCase(base.DefinitionBaseTestCase):
+    extension_module = rbac_security_groups
diff --git a/releasenotes/notes/add-rbac-security-groups-2e47acd9eac3a320.yaml b/releasenotes/notes/add-rbac-security-groups-2e47acd9eac3a320.yaml
new file mode 100644
index 000000000..10a23bf35
--- /dev/null
+++ b/releasenotes/notes/add-rbac-security-groups-2e47acd9eac3a320.yaml
@@ -0,0 +1,4 @@
+features:
+  - |
+    Adds API definition for ``rbac-security-groups`` extension, which allows
+    sharing security groups between tenants via the network RBAC mechanism.