diff --git a/templates/rocky/keystonev3_policy.json b/templates/rocky/keystonev3_policy.json
index b2ecfbe7..541d4921 100644
--- a/templates/rocky/keystonev3_policy.json
+++ b/templates/rocky/keystonev3_policy.json
@@ -1,11 +1,11 @@
 {
     "admin_required": "role:Admin",
-    "cloud_admin": "rule:admin_required and rule:domain_id:{{ admin_domain_id }}",
+    "cloud_admin": "rule:admin_required and domain_id:{{ admin_domain_id }}",
     "service_role": "role:service",
     "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "rule:user_id:%(user_id)s or rule:user_id:%(target.token.user_id)s",
-    "admin_or_owner": "(rule:admin_required and rule:domain_id:%(target.token.user.domain.id)s) or rule:owner",
-    "admin_and_matching_domain_id": "rule:admin_required and rule:domain_id:%(domain_id)s",
+    "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
+    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
+    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
     "service_admin_or_owner": "rule:service_or_admin or rule:owner",
 
     "default": "rule:admin_required",
@@ -130,7 +130,7 @@
     "identity:revocation_list": "rule:service_or_admin",
     "identity:revoke_token": "rule:admin_or_owner",
 
-    "identity:create_trust": "rule:user_id:%(trust.trustor_user_id)s",
+    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
     "identity:list_trusts": "",
     "identity:list_roles_for_trust": "",
     "identity:get_role_for_trust": "",