diff --git a/templates/queens/policy.json b/templates/queens/policy.json
index 1567e86674e83d7514d5d37240bb2b42006032b8..ce2afb32eee52b81026b4bdff500d51559c24e84 100644
--- a/templates/queens/policy.json
+++ b/templates/queens/policy.json
@@ -1,6 +1,11 @@
 {
     "admin_required": "role:{{ admin_role }}",
     "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:{{ admin_domain_id }} or project_id:{{ service_tenant_id }})",
+#GARR Roles
+    "reg_admin_required": "role:Region_admin",
+    "dom_admin_required": "role:Domain_admin",
+    "prj_admin_required": "role:Project_admin",
+#### 
     "service_role": "role:service",
     "service_or_admin": "rule:admin_required or rule:service_role",
     "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
@@ -40,7 +45,8 @@
     "identity:update_limits": "rule:admin_required",
     "identity:delete_limit": "rule:admin_required",
 
-    "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
+#    "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s",
+    "identity:get_domain": "",
     "identity:list_domains": "rule:cloud_admin",
     "identity:create_domain": "rule:cloud_admin",
     "identity:update_domain": "rule:cloud_admin",
@@ -48,12 +54,16 @@
 
     "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
     "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
-    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
-    "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
-    "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
-    "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
-    "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
+#    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
+    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:admin_required or project_id:%(target.project.id)s",
+#    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "identity:list_projects": "rule:admin_required or rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "identity:list_user_projects": "rule:cloud_admin or rule:owner or rule:admin_and_matching_domain_id",
+    "identity:create_project": "rule:admin_required or rule:cloud_admin or rule:admin_and_matching_project_domain_id",
+#    "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
+    "identity:update_project": "rule:admin_required or rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
+#    "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
+    "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:admin_required and project_id:%(project_id)s",           
     "identity:create_project_tag": "rule:admin_required",
     "identity:delete_project_tag": "rule:admin_required",
     "identity:get_project_tag": "rule:admin_required",
@@ -64,7 +74,8 @@
     "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
     "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
     "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner",
-    "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+#    "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "identity:list_users": "rule:admin_required or rule:cloud_admin or rule:admin_and_matching_domain_id",       
     "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
     "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
     "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
@@ -72,7 +83,8 @@
     "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
     "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
     "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
-    "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+#    "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "identity:list_groups": "rule:admin_required or rule:cloud_admin or rule:admin_and_matching_domain_id", 
     "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id",
     "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
     "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
@@ -133,29 +145,43 @@
 
     "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
     "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
-    "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
+#    "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
+    "identity:create_grant": "rule:cloud_admin_grant_reg_adm or rule:reg_admin_grant_dom_adm or rule:dom_admin_grant_prj_adm or rule:admin_grant_member", 
     "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
     "domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants",
     "domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match",
     "domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match",
     "domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s",
     "project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants",
-    "project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s",
+#    "project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s",
+    "project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(target.project.id)s",  
     "project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s",
     "domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match",
     "project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s",
-
+    "cloud_admin_grant_reg_adm": "rule:cloud_admin",
+    "reg_admin_grant_dom_adm": "role:Region_admin and rule:dom_prj_mem",
+    "dom_admin_grant_prj_adm": "role:admin and rule:prj_mem",
+    "admin_grant_member": "role:admin and 'Member':%(target.role.name)s",
+    "dom_prj_mem":"'Member':%(target.role.name)s or 'Project_admin':%(target.role.name)s or 'Domain_admin':%(target.role.name)s",
+    "prj_mem":"'Member':%(target.role.name)s or 'Project_admin':%(target.role.name)s",
+    
+    "admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
+    "admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
+    "admin_on_domain_of_project_filter" : "rule:admin_required and domain_id:%(target.project.domain_id)s",                                                                      
+    
     "admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
     "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
     "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s",
     "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
-    "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
+#    "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
+    "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_required",                            
     "identity:get_policy": "rule:cloud_admin",
     "identity:list_policies": "rule:cloud_admin",
     "identity:create_policy": "rule:cloud_admin",
     "identity:update_policy": "rule:cloud_admin",
     "identity:delete_policy": "rule:cloud_admin",
 
+    "identity:change_password": "rule:owner", 
     "identity:check_token": "rule:admin_or_owner",
     "identity:validate_token": "rule:service_admin_or_owner",
     "identity:validate_token_head": "rule:service_or_admin",