diff --git a/manifests/api.pp b/manifests/api.pp
index c24bde2f..8d376dbb 100644
--- a/manifests/api.pp
+++ b/manifests/api.pp
@@ -122,6 +122,10 @@
 #   (optional) CA certificate file to use to verify connecting clients
 #   Defaults to $::os_service_default
 #
+# [*enforce_secure_rbac*]
+#  (optional) Enabled enforcing authorization based on common RBAC personas.
+#  Defaults to $::os_service_default
+#
 # [*enabled_backends*]
 #   (optional) List of Key:Value pairs of store identifier and store type.
 #   Example: ['swift:swift', 'ceph1:ceph', 'ceph2:ceph']
@@ -315,6 +319,7 @@ class glance::api(
   $cert_file                            = $::os_service_default,
   $key_file                             = $::os_service_default,
   $ca_file                              = $::os_service_default,
+  $enforce_secure_rbac                  = $::os_service_default,
   $enabled_backends                     = undef,
   $default_backend                      = undef,
   $container_formats                    = $::os_service_default,
@@ -432,6 +437,7 @@ removed in a future realse. Use glance::api::db::database_max_overflow instead')
     'DEFAULT/location_strategy':          value => $location_strategy;
     'DEFAULT/scrub_time':                 value => $scrub_time;
     'DEFAULT/delayed_delete':             value => $delayed_delete;
+    'DEFAULT/enforce_secure_rbac':        value => $enforce_secure_rbac;
     'DEFAULT/cache_prefetcher_interval':  value => $cache_prefetcher_interval;
     'DEFAULT/image_cache_dir':            value => $image_cache_dir;
     'DEFAULT/image_cache_stall_time':     value => $image_cache_stall_time;
diff --git a/releasenotes/notes/add_enforce_secure_rbac_for_rbac_support-35bcf4ef4e25e435.yaml b/releasenotes/notes/add_enforce_secure_rbac_for_rbac_support-35bcf4ef4e25e435.yaml
new file mode 100644
index 00000000..2ef69598
--- /dev/null
+++ b/releasenotes/notes/add_enforce_secure_rbac_for_rbac_support-35bcf4ef4e25e435.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add ``enforce_secure_rbac`` parameter to enable enforcing authorization
+    based on common RBAC personas.
diff --git a/spec/classes/glance_api_spec.rb b/spec/classes/glance_api_spec.rb
index fd92b408..7adb7717 100644
--- a/spec/classes/glance_api_spec.rb
+++ b/spec/classes/glance_api_spec.rb
@@ -23,6 +23,7 @@ describe 'glance::api' do
       :purge_config                   => false,
       :delayed_delete                 => '<SERVICE DEFAULT>',
       :scrub_time                     => '<SERVICE DEFAULT>',
+      :enforce_secure_rbac            => '<SERVICE DEFAULT>',
       :image_cache_dir                => '/var/lib/glance/image-cache',
       :image_import_plugins           => '<SERVICE DEFAULT>',
       :image_conversion_output_format => '<SERVICE DEFAULT>',
@@ -65,6 +66,7 @@ describe 'glance::api' do
         :location_strategy              => 'store_type',
         :delayed_delete                 => 'true',
         :scrub_time                     => '10',
+        :enforce_secure_rbac            => 'true',
         :image_cache_dir                => '/tmp/glance',
         :image_import_plugins           => 'image_conversion',
         :image_conversion_output_format => 'raw',
@@ -125,6 +127,7 @@ describe 'glance::api' do
             'location_strategy',
             'delayed_delete',
             'scrub_time',
+            'enforce_secure_rbac',
             'image_cache_dir',
             'image_cache_stall_time',
             'image_cache_max_size',