diff --git a/handlers/main.yml b/handlers/main.yml
index e127913..aff4b4d 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -22,3 +22,12 @@
   with_items: "{{ filtered_heat_services }}"
   listen:
     - "venv changed"
+
+# NOTE (noonedeadpunk): Remove this task after Xena release
+- name: Remove obsoleted policy.json
+  file:
+    path: "/etc/heat/policy.json"
+    state: absent
+  listen:
+    - "Restart heat services"
+    - "venv changed"
diff --git a/tasks/heat_post_install.yml b/tasks/heat_post_install.yml
index dacb0bb..ce7c4e1 100644
--- a/tasks/heat_post_install.yml
+++ b/tasks/heat_post_install.yml
@@ -26,12 +26,27 @@
     - Restart heat services
     - Restart uwsgi services
 
-- name: Implement policy.json if there are overrides configured
-  copy:
-    content: "{{ heat_policy_overrides | to_nice_json }}"
-    dest: "/etc/heat/policy.json"
+- name: Implement policy.yaml if there are overrides configured
+  config_template:
+    content: "{{ heat_policy_overrides }}"
+    dest: "/etc/heat/policy.yaml"
+    owner: "root"
+    group: "{{ heat_system_group_name }}"
+    mode: "0640"
+    config_type: yaml
   when:
-    - heat_policy_overrides != {}
+    - heat_policy_overrides | length > 0
+  tags:
+    - heat-policy-override
+
+- name: Remove legacy policy.yaml file
+  file:
+    path: "/etc/heat/policy.yaml"
+    state: absent
+  when:
+    - heat_policy_overrides | length == 0
+  tags:
+    - heat-policy-override
 
 # NOTE(cloudnull): This is using "cp" instead of copy with a remote_source
 #                  because we only want to copy the original files once. and we