diff --git a/cinder/tests/unit/policy.json b/cinder/tests/unit/policy.json
index 84f0841ea7e..db2cb448830 100644
--- a/cinder/tests/unit/policy.json
+++ b/cinder/tests/unit/policy.json
@@ -4,6 +4,7 @@
     "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
 
     "volume:create": "",
+    "volume:create_from_image": "",
     "volume:get": "rule:admin_or_owner",
     "volume:get_all": "",
     "volume:get_volume_metadata": "",
diff --git a/cinder/volume/api.py b/cinder/volume/api.py
index 9bf7f91c4ed..ed2bb5fcfec 100644
--- a/cinder/volume/api.py
+++ b/cinder/volume/api.py
@@ -215,7 +215,7 @@ class API(base.Base):
                cgsnapshot=None, multiattach=False, source_cg=None,
                group=None, group_snapshot=None, source_group=None):
 
-        check_policy(context, 'create')
+        check_policy(context, 'create_from_image' if image_id else 'create')
 
         # NOTE(jdg): we can have a create without size if we're
         # doing a create from snap or volume.  Currently
diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index 225257ff979..c38bfaba635 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -5,6 +5,7 @@
     "admin_api": "is_admin:True or (role:admin and is_admin_project:True)",
 
     "volume:create": "",
+    "volume:create_from_image": "",
     "volume:delete": "rule:admin_or_owner",
     "volume:force_delete": "rule:admin_api",
     "volume:get": "rule:admin_or_owner",