diff --git a/templates/newton/policy.json b/templates/newton/policy.json
index d288cb02ef305651cd58b9decce0b6d22bd72b11..a337aff224d5cac00efe35c0ea8c7721e21b3230 100644
--- a/templates/newton/policy.json
+++ b/templates/newton/policy.json
@@ -2,6 +2,7 @@
 {
     "admin_required": "role:{{ admin_role }}",
     "cloud_admin": "rule:admin_required and (token.is_admin_project:True or domain_id:{{ admin_domain_id }} or project_id:{{ service_tenant_id }})",
+    "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
     "service_role": "role:service",
     "service_or_admin": "rule:admin_required or rule:service_role",
     "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
@@ -37,17 +38,19 @@
 
     "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
     "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
-    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "identity:get_project": "rule:admin_or_cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
+# Prova correzione issue list projects
+    "identity:list_projects": "rule:admin_or_cloud_admin or rule:admin_and_matching_domain_id",
     "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
-    "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
-    "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-    "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-
+    "identity:create_project": "rule:cloud_admin",
+    "identity:delete_project": "rule:cloud_admin",
+ #   "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
+    "identity:update_project": "rule:admin_or_cloud_admin or rule:admin_and_matching_target_project_domain_id",
+ #   "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
     "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
     "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
     "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner",
-    "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "identity:list_users": "rule:admin_or_cloud_admin or rule:admin_and_matching_domain_id",
     "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
     "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
     "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
@@ -55,7 +58,8 @@
     "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
     "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
     "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+#    "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "identity:list_groups": "rule:admin_or_cloud_admin or rule:admin_and_matching_domain_id",
     "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id",
     "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
     "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
@@ -120,7 +124,7 @@
     "admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
     "admin_on_domain_of_project_filter" : "rule:admin_required and domain_id:%(target.project.domain_id)s",
     "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
-    "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
+    "identity:list_role_assignments_for_tree": "rule:admin_or_cloud_admin or rule:admin_on_domain_of_project_filter",
     "identity:get_policy": "rule:cloud_admin",
     "identity:list_policies": "rule:cloud_admin",
     "identity:create_policy": "rule:cloud_admin",
@@ -253,7 +257,7 @@
     "identity:update_endpoint": "rule:admin_required",
     "identity:delete_endpoint": "rule:admin_required",
 
-    "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
+    "identity:get_domain": "rule:admin_required",
     "identity:list_domains": "rule:admin_required",
     "identity:create_domain": "rule:admin_required",
     "identity:update_domain": "rule:admin_required",
@@ -266,7 +270,7 @@
     "identity:update_project": "rule:admin_required",
     "identity:delete_project": "rule:admin_required",
 
-    "identity:get_user": "rule:admin_or_owner",
+    "identity:get_user": "rule:admin_required",
     "identity:list_users": "rule:admin_required",
     "identity:create_user": "rule:admin_required",
     "identity:update_user": "rule:admin_required",
@@ -398,8 +402,8 @@
     "identity:get_auth_projects": "",
     "identity:get_auth_domains": "",
 
-    "identity:list_projects_for_user": "",
-    "identity:list_domains_for_user": "",
+    "identity:list_projects_for_groups": "",
+    "identity:list_domains_for_groups": "",
 
     "identity:list_revoke_events": "",
 
diff --git a/templates/ocata/policy.json b/templates/ocata/policy.json
index 1053fd6a512065dd2d033077877b9cfbef2405cb..95e898327209f7758caa86d87b7a89dd1a41273a 100644
--- a/templates/ocata/policy.json
+++ b/templates/ocata/policy.json
@@ -2,6 +2,9 @@
 {
     "admin_required": "role:{{ admin_role }}",
     "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:{{ admin_domain_id }} or project_id:{{ service_tenant_id }})",
+#GARR
+    "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
+#### 
     "service_role": "role:service",
     "service_or_admin": "rule:admin_required or rule:service_role",
     "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
@@ -37,17 +40,26 @@
 
     "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
     "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
-    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
-    "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
+#GARR
+#    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
+    "identity:get_project": "rule:admin_or_cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
+#    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "identity:list_projects": "rule:admin_or_cloud_admin or rule:admin_and_matching_domain_id",
+#    "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
+#    "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
+#    "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
+    "identity:create_project": "rule:cloud_admin",
+    "identity:delete_project": "rule:cloud_admin,
+####
     "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-    "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-
+    "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
     "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
     "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
     "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner",
-    "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+#GARR
+#    "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "identity:list_users": "rule:admin_or_cloud_admin or rule:admin_and_matching_domain_id",
+####
     "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
     "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
     "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
@@ -55,7 +67,9 @@
     "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
     "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
     "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+#GARR
+#    "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "identity:list_groups": "rule:admin_or_cloud_admin or rule:admin_and_matching_domain_id",
     "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id",
     "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
     "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
@@ -122,7 +136,10 @@
     "admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
     "admin_on_domain_of_project_filter" : "rule:admin_required and domain_id:%(target.project.domain_id)s",
     "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
-    "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
+#GARR
+#    "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
+    "identity:list_role_assignments_for_tree": "rule:admin_or_cloud_admin or rule:admin_on_domain_of_project_filter",
+####
     "identity:get_policy": "rule:cloud_admin",
     "identity:list_policies": "rule:cloud_admin",
     "identity:create_policy": "rule:cloud_admin",