diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml
index f0438a6f99..de02cd4e69 100644
--- a/deployment/keystone/keystone-container-puppet.yaml
+++ b/deployment/keystone/keystone-container-puppet.yaml
@@ -626,6 +626,10 @@ outputs:
               keystone::using_domain_config: True
               tripleo::profile::base::keystone::ldap_backends_config:
                 get_param: KeystoneLDAPBackendConfigs
+          - if:
+            - {get_param: EnforceSecureRbac}
+            - keystone::policy::enforce_scope: true
+              keystone::policy::enforce_new_defaults: true
           - if:
             - change_password_upon_first_use_set
             - keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
diff --git a/releasenotes/notes/enable_secure_rbac_for_keystone-62685484ef589726.yaml b/releasenotes/notes/enable_secure_rbac_for_keystone-62685484ef589726.yaml
new file mode 100644
index 0000000000..f2615a2150
--- /dev/null
+++ b/releasenotes/notes/enable_secure_rbac_for_keystone-62685484ef589726.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Keystone can now be configured to support secure RBAC `personas
+    <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#roles-definitions>`_
+    with the `EnforceSecureRbac` setting. Note that deployments with mixed permission
+    models will have unexpected side-effects. Setting this option won't have
+    meaningful effect until all services in your deployment support secure RBAC
+    personas.