diff --git a/cinder/policy.py b/cinder/policy.py
index 1f4bea0501d..f1aa153e437 100644
--- a/cinder/policy.py
+++ b/cinder/policy.py
@@ -76,12 +76,15 @@ def enforce(context, action, target):
     """
     init()
 
-    return _ENFORCER.enforce(action,
-                             target,
-                             context.to_policy_values(),
-                             do_raise=True,
-                             exc=exception.PolicyNotAuthorized,
-                             action=action)
+    try:
+        return _ENFORCER.enforce(action,
+                                 target,
+                                 context.to_policy_values(),
+                                 do_raise=True,
+                                 exc=exception.PolicyNotAuthorized,
+                                 action=action)
+    except policy.InvalidScope:
+        raise exception.PolicyNotAuthorized(action=action)
 
 
 def set_rules(rules, overwrite=True, use_conf=False):
diff --git a/cinder/tests/unit/test_policy.py b/cinder/tests/unit/test_policy.py
index 5901d439c27..bac57f8fc61 100644
--- a/cinder/tests/unit/test_policy.py
+++ b/cinder/tests/unit/test_policy.py
@@ -131,3 +131,28 @@ class PolicyTestCase(test.TestCase):
                                                roles=['AdMiN'])
         policy.authorize(admin_context, lowercase_action, self.target)
         policy.authorize(admin_context, uppercase_action, self.target)
+
+    def test_enforce_properly_handles_invalid_scope_exception(self):
+        self.fixture.config(enforce_scope=True, group='oslo_policy')
+        project_context = context.RequestContext(project_id='fake-project-id',
+                                                 roles=['bar'])
+        policy.reset()
+        policy.init()
+        rule = oslo_policy.RuleDefault('foo', 'role:bar',
+                                       scope_types=['system'])
+        policy._ENFORCER.register_defaults([rule])
+
+        self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
+                          project_context, 'foo', {})
+
+    def test_enforce_does_not_raise_forbidden(self):
+        self.fixture.config(enforce_scope=False, group='oslo_policy')
+        project_context = context.RequestContext(project_id='fake-project-id',
+                                                 roles=['bar'])
+        policy.reset()
+        policy.init()
+        rule = oslo_policy.RuleDefault('foo', 'role:bar',
+                                       scope_types=['system'])
+        policy._ENFORCER.register_defaults([rule])
+
+        self.assertTrue(policy.enforce(project_context, 'foo', {}))
diff --git a/lower-constraints.txt b/lower-constraints.txt
index 5ecd707f644..d0ccaec17cc 100644
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@@ -64,7 +64,7 @@ oslo.i18n==5.0.1
 oslo.log==4.4.0
 oslo.messaging==12.5.0
 oslo.middleware==4.1.1
-oslo.policy==3.6.0
+oslo.policy==3.6.2
 oslo.privsep==2.4.0
 oslo.reports==2.2.0
 oslo.rootwrap==6.2.0
diff --git a/requirements.txt b/requirements.txt
index 5e303247fb6..5f94eedeac5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -21,7 +21,7 @@ oslo.db>=8.4.0 # Apache-2.0
 oslo.log>=4.4.0 # Apache-2.0
 oslo.messaging>=12.5.0 # Apache-2.0
 oslo.middleware>=4.1.1 # Apache-2.0
-oslo.policy>=3.6.0 # Apache-2.0
+oslo.policy>=3.6.2 # Apache-2.0
 oslo.privsep>=2.4.0 # Apache-2.0
 oslo.reports>=2.2.0 # Apache-2.0
 oslo.rootwrap>=6.2.0 # Apache-2.0