diff --git a/manifests/api.pp b/manifests/api.pp
index 4a3dcfac..a52e772f 100644
--- a/manifests/api.pp
+++ b/manifests/api.pp
@@ -22,10 +22,13 @@ class heat::api (
 
   include heat
   include heat::params
+  include heat::policy
 
   Heat_config<||> ~> Service['heat-api']
+  Class['heat::policy'] -> Service['heat-api']
 
   Package['heat-api'] -> Heat_config<||>
+  Package['heat-api'] -> Class['heat::policy']
   Package['heat-api'] -> Service['heat-api']
 
   if $use_ssl {
diff --git a/manifests/api_cfn.pp b/manifests/api_cfn.pp
index 7e5940e9..7477c9db 100644
--- a/manifests/api_cfn.pp
+++ b/manifests/api_cfn.pp
@@ -22,10 +22,13 @@ class heat::api_cfn (
 
   include heat
   include heat::params
+  include heat::policy
 
   Heat_config<||> ~> Service['heat-api-cfn']
+  Class['heat::policy'] -> Service['heat-api-cfn']
 
   Package['heat-api-cfn'] -> Heat_config<||>
+  Package['heat-api-cfn'] -> Class['heat::policy']
   Package['heat-api-cfn'] -> Service['heat-api-cfn']
 
   if $use_ssl {
diff --git a/manifests/api_cloudwatch.pp b/manifests/api_cloudwatch.pp
index 280bc29f..183fbe2e 100644
--- a/manifests/api_cloudwatch.pp
+++ b/manifests/api_cloudwatch.pp
@@ -22,10 +22,13 @@ class heat::api_cloudwatch (
 
   include heat
   include heat::params
+  include heat::policy
 
   Heat_config<||> ~> Service['heat-api-cloudwatch']
+  Class['heat::policy'] -> Service['heat-api-cloudwatch']
 
   Package['heat-api-cloudwatch'] -> Heat_config<||>
+  Package['heat-api-cloudwatch'] -> Class['heat::policy']
   Package['heat-api-cloudwatch'] -> Service['heat-api-cloudwatch']
 
   if $use_ssl {
diff --git a/manifests/policy.pp b/manifests/policy.pp
new file mode 100644
index 00000000..342f6080
--- /dev/null
+++ b/manifests/policy.pp
@@ -0,0 +1,28 @@
+# == Class: heat::policy
+#
+# Configure the heat policies
+#
+# === Parameters
+#
+# [*policies*]
+#   (optional) Set of policies to configure for heat
+#   Example : { 'heat-context_is_admin' => {'context_is_admin' => 'true'}, 'heat-default' => {'default' => 'rule:admin_or_owner'} }
+#   Defaults to empty hash.
+#
+# [*policy_path*]
+#   (optional) Path to the heat policy.json file
+#   Defaults to /etc/heat/policy.json
+#
+class heat::policy (
+  $policies    = {},
+  $policy_path = '/etc/heat/policy.json',
+) {
+
+  Openstacklib::Policy::Base {
+    file_path => $policy_path,
+  }
+  class { 'openstacklib::policy' :
+    policies => $policies,
+  }
+
+}
diff --git a/spec/classes/heat_api_cfn_spec.rb b/spec/classes/heat_api_cfn_spec.rb
index 53c3f732..11dadfbd 100644
--- a/spec/classes/heat_api_cfn_spec.rb
+++ b/spec/classes/heat_api_cfn_spec.rb
@@ -16,6 +16,7 @@ describe 'heat::api_cfn' do
 
       it { should contain_class('heat') }
       it { should contain_class('heat::params') }
+      it { should contain_class('heat::policy') }
 
       it { should contain_heat_config('heat_api_cfn/bind_host').with_value( params[:bind_host] ) }
       it { should contain_heat_config('heat_api_cfn/bind_port').with_value( params[:bind_port] ) }
diff --git a/spec/classes/heat_api_cloudwatch_spec.rb b/spec/classes/heat_api_cloudwatch_spec.rb
index dd9f078f..0fc412a8 100644
--- a/spec/classes/heat_api_cloudwatch_spec.rb
+++ b/spec/classes/heat_api_cloudwatch_spec.rb
@@ -16,6 +16,7 @@ describe 'heat::api_cloudwatch' do
 
       it { should contain_class('heat') }
       it { should contain_class('heat::params') }
+      it { should contain_class('heat::policy') }
 
       it { should contain_heat_config('heat_api_cloudwatch/bind_host').with_value( params[:bind_host] ) }
       it { should contain_heat_config('heat_api_cloudwatch/bind_port').with_value( params[:bind_port] ) }
diff --git a/spec/classes/heat_api_spec.rb b/spec/classes/heat_api_spec.rb
index 20d4caa1..d9caab4b 100644
--- a/spec/classes/heat_api_spec.rb
+++ b/spec/classes/heat_api_spec.rb
@@ -16,6 +16,7 @@ describe 'heat::api' do
 
       it { should contain_class('heat') }
       it { should contain_class('heat::params') }
+      it { should contain_class('heat::policy') }
 
       it { should contain_heat_config('heat_api/bind_host').with_value( params[:bind_host] ) }
       it { should contain_heat_config('heat_api/bind_port').with_value( params[:bind_port] ) }
diff --git a/spec/classes/heat_policy_spec.rb b/spec/classes/heat_policy_spec.rb
new file mode 100644
index 00000000..b556d213
--- /dev/null
+++ b/spec/classes/heat_policy_spec.rb
@@ -0,0 +1,40 @@
+require 'spec_helper'
+
+describe 'heat::policy' do
+
+  shared_examples_for 'heat policies' do
+    let :params do
+      {
+        :policy_path => '/etc/heat/policy.json',
+        :policies    => {
+          'context_is_admin' => {
+            'key'   => 'context_is_admin',
+            'value' => 'foo:bar'
+          }
+        }
+      }
+    end
+
+    it 'set up the policies' do
+      should contain_class('openstacklib::policy').with({
+        :policies => params[:policies]
+      })
+    end
+  end
+
+  context 'on Debian platforms' do
+    let :facts do
+      { :osfamily => 'Debian' }
+    end
+
+    it_configures 'heat policies'
+  end
+
+  context 'on RedHat platforms' do
+    let :facts do
+      { :osfamily => 'RedHat' }
+    end
+
+    it_configures 'heat policies'
+  end
+end