diff --git a/templates/policy.json.j2 b/templates/policy.json.j2
index 930b1a6b..fc1268c2 100644
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@@ -17,9 +17,11 @@
 
     "create_subnet": "rule:admin_or_network_owner",
     "create_subnet:segment_id": "rule:admin_only",
+    "create_subnet:service_types": "rule:admin_only",
     "get_subnet": "rule:admin_or_owner or rule:shared",
     "get_subnet:segment_id": "rule:admin_only",
     "update_subnet": "rule:admin_or_network_owner",
+    "update_subnet:service_types": "rule:admin_only",
     "delete_subnet": "rule:admin_or_network_owner",
 
     "create_subnetpool": "",
@@ -84,6 +86,7 @@
     "get_port:binding:vif_details": "rule:admin_only",
     "get_port:binding:host_id": "rule:admin_only",
     "get_port:binding:profile": "rule:admin_only",
+    "get_port:ipam_segment_id": "rule:admin_only",
     "update_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner",
     "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",