Who can do what? In OpenStack, it is the Policy engine that controls these decisions. A secure deployment means moving beyond the default policy provided with the base distribution. But how do you write policy rules that reflect your security decisions? This presentation, Adam Young, a core Keystone developer from the Red Hat Identity Management team, explain the access control policy mechanism from start to finish: How Keystone separate authentication from authorization, why the default policy file is so simplistic, how to build policies that reflect your organization, and the capabilites and limitation of policy enforcement. We'll conclude with a view of the future of policy management in OpenStack.