1 files changed, 8 insertions, 8 deletions

diff --git a/nova/policies/flavor_access.py b/nova/policies/flavor_access.py
index b70ae71811..e7044d0cec 100644
--- a/nova/policies/flavor_access.py
+++ b/nova/policies/flavor_access.py
@@ -25,8 +25,8 @@ POLICY_ROOT = 'os_compute_api:os-flavor-access:%s'
 # NOTE(gmann): Deprecating this policy explicitly as old defaults
 # admin or owner is not suitable for that which should be admin (Bug#1867840)
 # but changing that will break old deployment so let's keep supporting
-# the old default also and new default can be SYSTEM_READER
-# SYSTEM_READER rule in base class is defined with the deprecated rule of admin
+# the old default also and new default can be System Admin.
+# System Admin rule in base class is defined with the deprecated rule of admin
 # not admin or owner which is the main reason that we need to explicitly
 # deprecate this policy here.
 DEPRECATED_REASON = """
@@ -45,7 +45,7 @@ DEPRECATED_FLAVOR_ACCESS_POLICY = policy.DeprecatedRule(
 flavor_access_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'add_tenant_access',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Add flavor access to a tenant",
         operations=[
             {
@@ -53,10 +53,10 @@ flavor_access_policies = [
                 'path': '/flavors/{flavor_id}/action (addTenantAccess)'
             }
         ],
-        scope_types=['system']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'remove_tenant_access',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Remove flavor access from a tenant",
         operations=[
             {
@@ -64,10 +64,10 @@ flavor_access_policies = [
                 'path': '/flavors/{flavor_id}/action (removeTenantAccess)'
             }
         ],
-        scope_types=['system']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.SYSTEM_READER,
+        check_str=base.ADMIN,
         description="""List flavor access information
 
 Allows access to the full list of tenants that have access
@@ -79,7 +79,7 @@ to a flavor via an os-flavor-access API.
                 'path': '/flavors/{flavor_id}/os-flavor-access'
             },
         ],
-        scope_types=['system'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FLAVOR_ACCESS_POLICY),
 ]