diff --git a/defaults/main.yml b/defaults/main.yml
index c56738d4..7d8fdd9f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -210,6 +210,14 @@ nova_scheduler_program_name: nova-scheduler
 # nova_metadata_workers: 16
 
 
+## Policy vars
+# Provide a list of access controls to update the default policy.json with. These changes will be merged
+# with the access controls in the default policy.json. E.g.
+#nova_policy_overrides:
+#  "compute:create": ""
+#  "compute:create:attach_network": ""
+
+
 ## Service Names
 nova_service_names:
   - "{{ nova_metadata_program_name }}"
diff --git a/tasks/nova_post_install.yml b/tasks/nova_post_install.yml
index 72b1bfcb..540433bc 100644
--- a/tasks/nova_post_install.yml
+++ b/tasks/nova_post_install.yml
@@ -26,7 +26,6 @@
     - { src: "rootwrap.d/baremetal-deploy-helper.filters", dest: "/etc/nova/rootwrap.d/baremetal-deploy-helper.filters" }
     - { src: "rootwrap.d/compute.filters", dest: "/etc/nova/rootwrap.d/compute.filters" }
     - { src: "rootwrap.d/network.filters", dest: "/etc/nova/rootwrap.d/network.filters" }
-    - { src: "policy.json", dest: "/etc/nova/policy.json" }
     - { src: "api-paste.ini", dest: "/etc/nova/api-paste.ini" }
   notify: Restart nova services
   tags:
@@ -45,3 +44,20 @@
   tags:
     - nova-config
     - nova-post-install
+
+- name: Apply updates to Policy file
+  copy_updates:
+    content="{{ item.content }}"
+    updates="{{ item.policy_data }}"
+    dest="{{ item.dest }}"
+    owner="{{ nova_system_user_name }}"
+    group="{{ nova_system_group_name }}"
+    mode="{{ item.mode|default('0644') }}"
+  with_items:
+    - { content: "{{ lookup('file', 'policy.json') | b64encode }}", policy_data: "{{ nova_policy_overrides|default('') }}", dest: "/etc/nova/policy.json" }
+  notify:
+    - Restart nova services
+  tags:
+    - nova-config
+    - nova-post-install
+