diff --git a/deployment/heat/heat-base-puppet.yaml b/deployment/heat/heat-base-puppet.yaml
index 0224f0ffd4..b9844cb307 100644
--- a/deployment/heat/heat-base-puppet.yaml
+++ b/deployment/heat/heat-base-puppet.yaml
@@ -140,6 +140,17 @@ parameters:
     description: |
       Use the advanced (eventlet safe) memcached client pool.
     default: true
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.
 
 conditions:
   tls_cache_enabled:
@@ -156,6 +167,10 @@ outputs:
       service_name: heat_base
       config_settings:
         map_merge:
+          - if:
+            - {get_param: EnforceSecureRbac}
+            - heat::policy::enforce_scope: true
+              heat::policy::enforce_new_defaults: true
           - if:
             - cors_allowed_origin_set
             - heat::cors::allowed_origin: {get_param: HeatCorsAllowedOrigin}