diff --git a/templates/policy.json.j2 b/templates/policy.json.j2
index c59e0750..bd7630c7 100644
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@@ -73,7 +73,8 @@
     "create_port": "",
     "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
-    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
     "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "create_port:binding:host_id": "rule:admin_only",
     "create_port:binding:profile": "rule:admin_only",
@@ -88,7 +89,8 @@
     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
-    "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
+    "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared",
     "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:binding:host_id": "rule:admin_only",
     "update_port:binding:profile": "rule:admin_only",