diff --git a/etc/policy.json b/etc/policy.json
index bd7630c74f7..d897fcf6cf7 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -73,6 +73,7 @@
     "create_port": "",
     "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
     "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
@@ -89,6 +90,7 @@
     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
+    "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
     "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
@@ -101,6 +103,8 @@
 
     "get_router:ha": "rule:admin_only",
     "create_router": "rule:regular_user",
+    "create_router:external_gateway_info": "rule:admin_or_owner",
+    "create_router:external_gateway_info:network_id": "rule:admin_or_owner",
     "create_router:external_gateway_info:enable_snat": "rule:admin_only",
     "create_router:distributed": "rule:admin_only",
     "create_router:ha": "rule:admin_only",
diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json
index bd7630c74f7..d897fcf6cf7 100644
--- a/neutron/tests/etc/policy.json
+++ b/neutron/tests/etc/policy.json
@@ -73,6 +73,7 @@
     "create_port": "",
     "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
     "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
@@ -89,6 +90,7 @@
     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
+    "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
     "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
@@ -101,6 +103,8 @@
 
     "get_router:ha": "rule:admin_only",
     "create_router": "rule:regular_user",
+    "create_router:external_gateway_info": "rule:admin_or_owner",
+    "create_router:external_gateway_info:network_id": "rule:admin_or_owner",
     "create_router:external_gateway_info:enable_snat": "rule:admin_only",
     "create_router:distributed": "rule:admin_only",
     "create_router:ha": "rule:admin_only",
diff --git a/neutron/tests/unit/extensions/test_l3.py b/neutron/tests/unit/extensions/test_l3.py
index 4c3bdf623d5..d760d6507ab 100644
--- a/neutron/tests/unit/extensions/test_l3.py
+++ b/neutron/tests/unit/extensions/test_l3.py
@@ -1276,8 +1276,7 @@ class L3NatTestCaseBase(L3NatTestCaseMixin):
                                         'ip_address':
                                             s2['subnet']['gateway_ip']}
                     with self.port(subnet=s1, fixed_ips=fixed_ips,
-                                   tenant_id=router_tenant_id,
-                                   set_context=True) as p:
+                                   tenant_id=router_tenant_id) as p:
                         kwargs = {'expected_code': expected_code}
                         if not router_action_as_admin:
                             kwargs['tenant_id'] = router_tenant_id
@@ -1778,7 +1777,7 @@ class L3NatTestCaseBase(L3NatTestCaseMixin):
                 gw_info = body['router']['external_gateway_info']
                 self.assertIsNone(gw_info)
 
-    def test_create_router_port_with_device_id_of_other_teants_router(self):
+    def test_create_router_port_with_device_id_of_other_tenants_router(self):
         with self.router() as admin_router:
             with self.network(tenant_id='tenant_a',
                               set_context=True) as n:
@@ -1792,7 +1791,7 @@ class L3NatTestCaseBase(L3NatTestCaseMixin):
                             set_context=True,
                             expected_res_status=exc.HTTPConflict.code)
 
-    def test_create_non_router_port_device_id_of_other_teants_router_update(
+    def test_create_non_router_port_device_id_of_other_tenants_router_update(
         self):
         # This tests that HTTPConflict is raised if we create a non-router
         # port that matches the device_id of another tenants router and then