diff --git a/nova/policies/pause_server.py b/nova/policies/pause_server.py
index ce82e2da07e7..2eea90353544 100644
--- a/nova/policies/pause_server.py
+++ b/nova/policies/pause_server.py
@@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-pause-server:%s'
 pause_server_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'pause',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
         description="Pause a server",
         operations=[
             {
@@ -36,7 +36,7 @@ pause_server_policies = [
     ),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'unpause',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
         description="Unpause a paused server",
         operations=[
             {
diff --git a/nova/tests/unit/policies/test_pause_server.py b/nova/tests/unit/policies/test_pause_server.py
index 5f2f4cd132af..e279206612fb 100644
--- a/nova/tests/unit/policies/test_pause_server.py
+++ b/nova/tests/unit/policies/test_pause_server.py
@@ -117,3 +117,27 @@ class PauseServerScopeTypePolicyTest(PauseServerPolicyTest):
     def setUp(self):
         super(PauseServerScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class PauseServerNoLegacyPolicyTest(PauseServerScopeTypePolicyTest):
+    """Test Pause Server APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(PauseServerNoLegacyPolicyTest, self).setUp()
+        # Check that system admin or server owner is able to pause/unpause
+        # the sevrer
+        self.admin_or_owner_authorized_contexts = [
+            self.system_admin_context,
+            self.project_admin_context, self.project_member_context]
+        # Check that non-system/admin/owner is not able to pause/unpause
+        # the server
+        self.admin_or_owner_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.other_project_member_context, self.project_reader_context,
+            self.project_foo_context
+        ]