diff --git a/aodh/api/controllers/v2/quotas.py b/aodh/api/controllers/v2/quotas.py
index 7e168cf6d..deac5510f 100644
--- a/aodh/api/controllers/v2/quotas.py
+++ b/aodh/api/controllers/v2/quotas.py
@@ -48,10 +48,9 @@ class QuotasController(rest.RestController):
         """
         request_project = pecan.request.headers.get('X-Project-Id')
         project_id = project_id if project_id else request_project
-        is_admin = rbac.is_admin(pecan.request, pecan.request.enforcer)
-
-        if project_id != request_project and not is_admin:
-            raise base.ProjectNotAuthorized(project_id)
+        rbac.enforce(
+            'get_quotas', pecan.request,
+            pecan.request.enforcer, {'project_id': project_id})
 
         LOG.debug('Getting resource quotas for project %s', project_id)
 
@@ -68,12 +67,12 @@ class QuotasController(rest.RestController):
     @wsme_pecan.wsexpose(Quotas, body=Quotas, status_code=201)
     def post(self, body):
         """Create or update quota."""
-        rbac.enforce('update_quotas', pecan.request,
-                     pecan.request.enforcer, {})
-
         params = body.to_dict()
         project_id = params['project_id']
 
+        rbac.enforce('update_quotas', pecan.request,
+                     pecan.request.enforcer, {'project_id': project_id})
+
         input_quotas = []
         for i in params.get('quotas', []):
             input_quotas.append(i.to_dict())
@@ -87,5 +86,5 @@ class QuotasController(rest.RestController):
     def delete(self, project_id):
         """Delete quotas for the given project."""
         rbac.enforce('delete_quotas', pecan.request,
-                     pecan.request.enforcer, {})
+                     pecan.request.enforcer, {'project_id': project_id})
         pecan.request.storage.delete_quotas(project_id)
diff --git a/aodh/api/policies.py b/aodh/api/policies.py
index 2df7654ff..acd6c4fda 100644
--- a/aodh/api/policies.py
+++ b/aodh/api/policies.py
@@ -96,6 +96,12 @@ deprecated_query_alarm_history = policy.DeprecatedRule(
     deprecated_reason=DEPRECATED_REASON,
     deprecated_since=versionutils.deprecated.WALLABY
 )
+deprecated_get_quotas = policy.DeprecatedRule(
+    name="telemetry:get_quotas",
+    check_str=RULE_ADMIN_OR_OWNER,
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='Epoxy'
+)
 deprecated_update_quotas = policy.DeprecatedRule(
     name="telemetry:update_quotas",
     check_str=RULE_CONTEXT_IS_ADMIN,
@@ -281,6 +287,23 @@ rules = [
         ],
         deprecated_rule=deprecated_query_alarm_history
     ),
+    policy.DocumentedRuleDefault(
+        name="telemetry:get_quotas",
+        check_str=PROJECT_READER,
+        scope_types=['project'],
+        description='Get resources quotas for project.',
+        operations=[
+            {
+                'path': '/v2/quotas',
+                'method': 'Get'
+            },
+            {
+                'path': '/v2/quotas/{project_id}',
+                'method': 'Get'
+            }
+        ],
+        deprecated_rule=deprecated_get_quotas
+    ),
     policy.DocumentedRuleDefault(
         name="telemetry:update_quotas",
         check_str=PROJECT_ADMIN,
diff --git a/releasenotes/notes/get-quotas-policy-b0338f314ec06ae9.yaml b/releasenotes/notes/get-quotas-policy-b0338f314ec06ae9.yaml
new file mode 100644
index 000000000..1806cfb7f
--- /dev/null
+++ b/releasenotes/notes/get-quotas-policy-b0338f314ec06ae9.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The new ``telemetry::get_quotas`` policy has been added.