Hi, I have a question about policy for container consumers. Am I correctly understanding that the below policy in code should allow users with read acl to create consumer for container? policy.DocumentedRuleDefault( name='consumers:post', check_str='rule:admin or rule:container_non_private_read or ' + 'rule:container_project_creator or ' + 'rule:container_project_admin or rule:container_acl_read', scope_types=[], description='Creates a consumer.', operations=[ { 'path': '/v1/containers/{container-id}/consumers', 'method': 'POST' } ] ), policy.RuleDefault( name='container_acl_read', check_str="'read':%(target.container.read)s"), It's not working for me and I want to be sure if I'm doing something wrong or it's designed to work other ways. My current solution is below policy to allow role 'creator' to update consumers: {"consumers:post": "rule:admin or rule:creator or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"} Greets, Krzysztof Pawłowski