diff --git a/manifests/params.pp b/manifests/params.pp
index 5e9d5b3c..17ed7980 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -17,6 +17,7 @@ class designate::params {
   $zone_manager_service_name = 'designate-zone-manager'
   $producer_service_name     = 'designate-producer'
   $worker_service_name       = 'designate-worker'
+  $group                     = 'designate'
 
   case $::osfamily {
     'RedHat': {
diff --git a/manifests/policy.pp b/manifests/policy.pp
index 1d3fe11e..da28fd1f 100644
--- a/manifests/policy.pp
+++ b/manifests/policy.pp
@@ -8,18 +8,17 @@
 #   (optional) Set of policies to configure for designate
 #   Example :
 #     {
-#       'create_domain' => {
-#         'key' => 'create_domain',
-#         'value' => 'rule:admin'
+#       'designate-context_is_admin' => {
+#         'key' => 'context_is_admin',
+#         'value' => 'true'
 #       },
-#       'delete_domain' => {
+#       'designate-default' => {
 #         'key' => 'default',
-#         'value' => 'rule:admin'
+#         'value' => 'rule:admin_or_owner'
 #       }
 #     }
 #   Defaults to empty hash.
 #
-#
 # [*policy_path*]
 #   (optional) Path to the designate policy.json file
 #   Defaults to /etc/designate/policy.json
@@ -30,14 +29,18 @@ class designate::policy (
 ) {
 
   include ::designate::deps
+  include ::designate::params
 
   validate_hash($policies)
 
   Openstacklib::Policy::Base {
-    file_path => $policy_path,
+    file_path  => $policy_path,
+    file_user  => 'root',
+    file_group => $::designate::params::group,
   }
 
   create_resources('openstacklib::policy::base', $policies)
+
   oslo::policy { 'designate_config': policy_file => $policy_path }
 
 }
diff --git a/spec/classes/designate_policy_spec.rb b/spec/classes/designate_policy_spec.rb
index 67b53285..f2c88ee4 100644
--- a/spec/classes/designate_policy_spec.rb
+++ b/spec/classes/designate_policy_spec.rb
@@ -17,8 +17,10 @@ describe 'designate::policy' do
 
     it 'set up the policies' do
       is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
-        :key   => 'context_is_admin',
-        :value => 'foo:bar'
+        :key        => 'context_is_admin',
+        :value      => 'foo:bar',
+        :file_user  => 'root',
+        :file_group => 'designate',
       })
       is_expected.to contain_oslo__policy('designate_config').with(
         :policy_file => '/etc/designate/policy.json',
@@ -27,15 +29,14 @@ describe 'designate::policy' do
   end
 
   on_supported_os({
-    :supported_os => OSDefaults.get_supported_os
+    :supported_os   => OSDefaults.get_supported_os
   }).each do |os,facts|
     context "on #{os}" do
       let (:facts) do
         facts.merge!(OSDefaults.get_facts())
       end
 
-      it_behaves_like 'designate policies'
+      it_configures 'designate policies'
     end
   end
-
 end