Folks, I am trying to give permission to end users to create fixed IP ports and attach to VMs but so far no luck. Release: Zed (OVN based deployment) I have added following in policy.yml file in neutron server "create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" $ openstack port create --network public-network-1 --fixed-ip subnet=dba7a427-dccb-4a5a-a8e0-23fcda64666d,ip-address=xx.xx.xx.xx my-port1 ForbiddenException: 403: Client Error for url: http://192.168.18.100:9696/v2.0/ports, (rule:create_port and (rule:create_port:fixed_ips and (rule:create_port:fixed_ips:subnet_id and rule:create_port:fixed_ips:ip_address))) is disallowed by policy I found some reference bug but not sure they are fixed or not: https://bugs.launchpad.net/neutron/+bug/1833455