diff --git a/etc/freezer/policy.json b/etc/freezer/policy.json
index d3d82dde..a10a50ec 100644
--- a/etc/freezer/policy.json
+++ b/etc/freezer/policy.json
@@ -1,9 +1,4 @@
 {
-    "backups:get_all": "",
-    "backups:create": "",
-    "backups:get": "",
-    "backups:delete": "",
-
     "clients:get_all": "",
     "clients:create": "",
     "clients:get": "",
diff --git a/freezer_api/common/policies/__init__.py b/freezer_api/common/policies/__init__.py
index 0655c8f4..93986d97 100644
--- a/freezer_api/common/policies/__init__.py
+++ b/freezer_api/common/policies/__init__.py
@@ -18,6 +18,7 @@
 import itertools
 
 from freezer_api.common.policies import action
+from freezer_api.common.policies import backup
 from freezer_api.common.policies import base
 from freezer_api.common.policies import job
 from freezer_api.common.policies import session
@@ -26,6 +27,7 @@ from freezer_api.common.policies import session
 def list_rules():
     return itertools.chain(
         action.list_rules(),
+        backup.list_rules(),
         base.list_rules(),
         job.list_rules(),
         session.list_rules()
diff --git a/freezer_api/common/policies/backup.py b/freezer_api/common/policies/backup.py
new file mode 100644
index 00000000..e0de95b1
--- /dev/null
+++ b/freezer_api/common/policies/backup.py
@@ -0,0 +1,69 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+from freezer_api.common.policies import base
+
+BACKUPS = 'backups:%s'
+
+rules = [
+    policy.DocumentedRuleDefault(
+        name=BACKUPS % 'create',
+        check_str=base.UNPROTECTED,
+        description='Creates backup entry.',
+        operations=[
+            {
+                'path': '/v1/backups',
+                'method': 'POST'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BACKUPS % 'delete',
+        check_str=base.UNPROTECTED,
+        description='Delete backup.',
+        operations=[
+            {
+                'path': '/v1/backups/{backup_id}',
+                'method': 'DELETE'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BACKUPS % 'get',
+        check_str=base.UNPROTECTED,
+        description='Show backups.',
+        operations=[
+            {
+                'path': '/v1/backups/{backup_id}',
+                'method': 'GET'
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        name=BACKUPS % 'get_all',
+        check_str=base.UNPROTECTED,
+        description='Lists backups.',
+        operations=[
+            {
+                'path': '/v1/backups',
+                'method': 'GET'
+            }
+        ]
+    )
+]
+
+
+def list_rules():
+    return rules