diff --git a/etc/mogan/README.policy.json.txt b/etc/mogan/README.policy.json.txt
new file mode 100644
index 00000000..ffc89cfb
--- /dev/null
+++ b/etc/mogan/README.policy.json.txt
@@ -0,0 +1,4 @@
+To generate the sample policy.json file, run the following command from the top
+level of the mogan directory:
+
+    tox -egenpolicy
diff --git a/etc/mogan/policy.json.sample b/etc/mogan/policy.json.sample
deleted file mode 100644
index f4400c5d..00000000
--- a/etc/mogan/policy.json.sample
+++ /dev/null
@@ -1,38 +0,0 @@
-# Legacy rule for cloud admin access
-"admin_api": "role:admin or role:administrator"
-# Internal flag for public API routes
-"public_api": "is_public_api:True"
-# Show or mask secrets within instance information in API responses
-"show_instance_secrets": "!"
-# any access will be passed
-"allow": "@"
-# all access will be forbidden
-"deny": "!"
-# Full read/write API access
-"is_admin": "rule:admin_api or (rule:is_member and role:mogan_admin)"
-# Admin or owner API access
-"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
-# Admin or user API access
-"admin_or_user": "is_admin:True or user_id:%(user_id)s"
-# Default API access rule
-"default": "rule:admin_or_owner"
-# Retrieve Instance records
-"mogan:instance:get": "rule:default"
-# View Instance power and provision state
-"mogan:instance:get_states": "rule:default"
-# Create Instance records
-"mogan:instance:create": "rule:allow"
-# Delete Instance records
-"mogan:instance:delete": "rule:default"
-# Update Instance records
-"mogan:instance:update": "rule:default"
-# Start an instance
-"mogan:instance:set_power_state:on": "rule:default"
-# Stop an instance
-"mogan:instance:set_power_state:off": "rule:default"
-# Reboot an instance
-"mogan:instance:set_power_state:reboot": "rule:default"
-# Get Instance network information
-"mogan:instance:get_networks": "rule:default"
-# Associate floating IP to instance
-"mogan:instance:associate_floatingip": "rule:default"
diff --git a/tools/config/mogan-policy-generator.conf b/tools/config/mogan-policy-generator.conf
new file mode 100644
index 00000000..4f2a5631
--- /dev/null
+++ b/tools/config/mogan-policy-generator.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/mogan/policy.json.sample
+namespace = mogan.api
diff --git a/tox.ini b/tox.ini
index 25f05eb2..09095ce0 100644
--- a/tox.ini
+++ b/tox.ini
@@ -72,7 +72,7 @@ commands =
 sitepackages = False
 envdir = {toxworkdir}/venv
 commands =
-  oslopolicy-sample-generator --namespace=mogan.api --output-file=etc/mogan/policy.json.sample
+  oslopolicy-sample-generator --config-file=tools/config/mogan-policy-generator.conf
 
 [testenv:api-ref]
 # This environment is called from CI scripts to test and publish