1 files changed, 35 insertions, 1 deletions

diff --git a/heat/policies/base.py b/heat/policies/base.py
index 7f4d8643d..cdc3b9f7d 100644
--- a/heat/policies/base.py
+++ b/heat/policies/base.py
@@ -18,11 +18,45 @@ RULE_DENY_STACK_USER = 'rule:deny_stack_user'
 RULE_DENY_EVERYBODY = 'rule:deny_everybody'
 RULE_ALLOW_EVERYBODY = 'rule:allow_everybody'
 
+# Check strings that embody common personas
+SYSTEM_ADMIN = 'role:admin and system_scope:all'
+SYSTEM_READER = 'role:reader and system_scope:all'
+PROJECT_MEMBER = 'role:member and project_id:%(project_id)s'
+PROJECT_READER = 'role:reader and project_id:%(project_id)s'
+
+# Heat personas
+PROJECT_ADMIN = 'role:admin and project_id:%(project_id)s'
+PROJECT_STACK_USER = 'role:heat_stack_user and project_id:%(project_id)s'
+
+# Composite check strings that are useful for policies that protect APIs that
+# operate at different scopes.
+SYSTEM_ADMIN_OR_PROJECT_MEMBER = (
+    '(' + SYSTEM_ADMIN + ')'
+    ' or (' + PROJECT_MEMBER + ')'
+)
+SYSTEM_OR_PROJECT_READER = (
+    '(' + SYSTEM_READER + ')'
+    ' or (' + PROJECT_READER + ')'
+)
+SYSTEM_ADMIN_OR_PROJECT_MEMBER_OR_STACK_USER = (
+    '(' + SYSTEM_ADMIN + ')'
+    ' or (' + PROJECT_MEMBER + ')'
+    ' or (' + PROJECT_STACK_USER + ')'
+)
+SYSTEM_OR_PROJECT_READER_OR_STACK_USER = (
+    '(' + SYSTEM_READER + ')'
+    ' or (' + PROJECT_READER + ')'
+    ' or (' + PROJECT_STACK_USER + ')'
+)
+
 
 rules = [
     policy.RuleDefault(
         name="context_is_admin",
-        check_str="role:admin and is_admin_project:True",
+        check_str=(
+            "(role:admin and is_admin_project:True) OR "
+            "(" + SYSTEM_ADMIN + ")"
+        ),
         description="Decides what is required for the 'is_admin:True' check "
         "to succeed."),
     policy.RuleDefault(