diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index 60076bc9248f..d2c61031af5e 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -30,8 +30,8 @@
     "compute:stop": "rule:admin_or_owner",
 
     "compute:get_lock": "",
-    "compute:lock": "",
-    "compute:unlock": "",
+    "compute:lock": "rule:admin_or_owner",
+    "compute:unlock": "rule:admin_or_owner",
     "compute:unlock_override": "rule:admin_api",
 
     "compute:get_vnc_console": "",
diff --git a/nova/tests/unit/test_policy.py b/nova/tests/unit/test_policy.py
index 2586ce45c4b1..9c1b158b4c29 100644
--- a/nova/tests/unit/test_policy.py
+++ b/nova/tests/unit/test_policy.py
@@ -371,6 +371,8 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "compute:delete",
 "compute:soft_delete",
 "compute:force_delete",
+"compute:lock",
+"compute:unlock",
 "compute_extension:admin_actions:pause",
 "compute_extension:admin_actions:unpause",
 "compute_extension:admin_actions:suspend",
@@ -442,7 +444,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "compute:get_spice_console",
 "compute:get_vnc_console",
 "compute:inject_network_info",
-"compute:lock",
 "compute:pause",
 "compute:remove_fixed_ip",
 "compute:rescue",
@@ -455,7 +456,6 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
 "compute:snapshot",
 "compute:suspend",
 "compute:swap_volume",
-"compute:unlock",
 "compute:unpause",
 "compute:unrescue",
 "compute:update",