diff --git a/doc/config-reference/ch_imageservice.xml b/doc/config-reference/ch_imageservice.xml
index 49f78c8532..4d7909cb9e 100644
--- a/doc/config-reference/ch_imageservice.xml
+++ b/doc/config-reference/ch_imageservice.xml
@@ -47,5 +47,5 @@
-
+
diff --git a/doc/config-reference/image/section_glance-property-protection.xml b/doc/config-reference/image/section_glance-property-protection.xml
new file mode 100644
index 0000000000..24b10c0456
--- /dev/null
+++ b/doc/config-reference/image/section_glance-property-protection.xml
@@ -0,0 +1,26 @@
+
+
+ Image property protection
+ There are currently two types of properties in the Image
+ Service: "core properties," which are defined by the system, and
+ "additional properties," which are arbitrary key/value pairs that
+ can be set on an image.
+ With the Havana release, any such property can be protected
+ through configuration. When you put protections on a property, it
+ limits the users who can perform CRUD operations on the property
+ based on their user role. The use case is to enable the cloud
+ provider to maintain extra properties on images so typically this
+ would be an administrator who has access to protected properties,
+ managed with policy.json. The extra property
+ could be licensing information or billing information, for
+ example.
+ Properties that don't have protections defined for them will
+ act as they do now: the administrator can control core properties,
+ with the image owner having control over additional properties.
+ Property protection can be set in
+ /etc/glance/property-protections.conf, using
+ roles found in policy.json.
+