diff --git a/manifests/params.pp b/manifests/params.pp
index 0d61acfb0..04d31fc42 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -8,6 +8,7 @@ class keystone::params {
   $keystone_group      = 'keystone'
   $keystone_wsgi_admin_script_path  = '/usr/bin/keystone-wsgi-admin'
   $keystone_wsgi_public_script_path = '/usr/bin/keystone-wsgi-public'
+  $group                            = 'keystone'
   case $::osfamily {
     'Debian': {
       $package_name                 = 'keystone'
diff --git a/manifests/policy.pp b/manifests/policy.pp
index a484208eb..2451d674b 100644
--- a/manifests/policy.pp
+++ b/manifests/policy.pp
@@ -29,13 +29,18 @@ class keystone::policy (
 ) {
 
   include ::keystone::deps
+  include ::keystone::params
 
   validate_hash($policies)
 
   Openstacklib::Policy::Base {
-    file_path => $policy_path,
+    file_path  => $policy_path,
+    file_user  => 'root',
+    file_group => $::keystone::params::group,
   }
 
   create_resources('openstacklib::policy::base', $policies)
+
   oslo::policy { 'keystone_config': policy_file => $policy_path }
+
 }
diff --git a/spec/classes/keystone_policy_spec.rb b/spec/classes/keystone_policy_spec.rb
index f36672500..53bb8f65d 100644
--- a/spec/classes/keystone_policy_spec.rb
+++ b/spec/classes/keystone_policy_spec.rb
@@ -17,8 +17,10 @@ describe 'keystone::policy' do
 
     it 'set up the policies' do
       is_expected.to contain_openstacklib__policy__base('context_is_admin').with({
-        :key   => 'context_is_admin',
-        :value => 'foo:bar'
+        :key        => 'context_is_admin',
+        :value      => 'foo:bar',
+        :file_user  => 'root',
+        :file_group => 'keystone',
       })
       is_expected.to contain_oslo__policy('keystone_config').with(
         :policy_file => '/etc/keystone/policy.json',
@@ -37,5 +39,4 @@ describe 'keystone::policy' do
       it_configures 'keystone policies'
     end
   end
-
 end