diff --git a/resources/keystone.yaml b/resources/keystone.yaml
index 460a6a2..b2b2fba 100644
--- a/resources/keystone.yaml
+++ b/resources/keystone.yaml
@@ -1,4 +1,6 @@
 # default rules
 # https://docs.openstack.org/keystone/ussuri/configuration/policy.html
 
-"identity:update_user": "rule:admin_or_owner"
+context_is_tenantLead: role:tenantLead
+
+identity:update_user: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) or (rule:context_is_tenantLead and project_id:%(target.project.id)s)
diff --git a/resources/nova.yaml b/resources/nova.yaml
index 384d1c8..cad9cf3 100644
--- a/resources/nova.yaml
+++ b/resources/nova.yaml
@@ -2,6 +2,7 @@
 # https://docs.openstack.org/nova/ussuri/configuration/policy.html
 
 context_is_tenantLead: role:tenantLead
+
 os_compute_api:os-admin-actions:reset_state: rule:context_is_tenantLead or rule:system_admin_api
 os_compute_api:os-aggregates:index: rule:context_is_tenantLead or rule:system_reader_api
 os_compute_api:os-aggregates:show: rule:context_is_tenantLead or rule:system_reader_api
diff --git a/scripts/post-deployment/hosts b/scripts/post-deployment/hosts
index dce6441..6c498b2 100644
--- a/scripts/post-deployment/hosts
+++ b/scripts/post-deployment/hosts
@@ -8,3 +8,6 @@
 10.0.1.218 neutron.example.com
 10.0.1.219 nova.example.com
 10.0.1.220 gnocchi.example.com
+10.0.1.221 contrail.example.com
+10.0.1.222 placement.example.com
+10.0.1.223 placement.example.com