diff --git a/doc/source/cli/index.rst b/doc/source/cli/index.rst
index ed7fca2652f4..a5b1d89bfc15 100644
--- a/doc/source/cli/index.rst
+++ b/doc/source/cli/index.rst
@@ -31,6 +31,7 @@ database.
    :maxdepth: 1
 
    nova-manage
+   nova-policy
    nova-status
 
 Service Daemons
diff --git a/doc/source/cli/nova-api-metadata.rst b/doc/source/cli/nova-api-metadata.rst
index 443792920cb9..f6f5d8afba24 100644
--- a/doc/source/cli/nova-api-metadata.rst
+++ b/doc/source/cli/nova-api-metadata.rst
@@ -36,6 +36,7 @@ Files
 * ``/etc/nova/nova.conf``
 * ``/etc/nova/api-paste.ini``
 * ``/etc/nova/policy.yaml``
+* ``/etc/nova/policy.d/``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 
diff --git a/doc/source/cli/nova-api-os-compute.rst b/doc/source/cli/nova-api-os-compute.rst
index 60996effd5f1..6564f03626c8 100644
--- a/doc/source/cli/nova-api-os-compute.rst
+++ b/doc/source/cli/nova-api-os-compute.rst
@@ -34,6 +34,7 @@ Files
 * ``/etc/nova/nova.conf``
 * ``/etc/nova/api-paste.ini``
 * ``/etc/nova/policy.yaml``
+* ``/etc/nova/policy.d/``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 
diff --git a/doc/source/cli/nova-api.rst b/doc/source/cli/nova-api.rst
index fa9a3ba24777..b10efc6b391c 100644
--- a/doc/source/cli/nova-api.rst
+++ b/doc/source/cli/nova-api.rst
@@ -34,6 +34,7 @@ Files
 * ``/etc/nova/nova.conf``
 * ``/etc/nova/api-paste.ini``
 * ``/etc/nova/policy.yaml``
+* ``/etc/nova/policy.d/``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 
diff --git a/doc/source/cli/nova-compute.rst b/doc/source/cli/nova-compute.rst
index 8b9fa4988068..f190949efa58 100644
--- a/doc/source/cli/nova-compute.rst
+++ b/doc/source/cli/nova-compute.rst
@@ -33,8 +33,12 @@ Options
 Files
 =====
 
+.. todo: We shouldn't have policy configuration in this non-API service, but
+   bug #1675486 means we do have one
+
 * ``/etc/nova/nova.conf``
 * ``/etc/nova/policy.yaml``
+* ``/etc/nova/policy.d/``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 
diff --git a/doc/source/cli/nova-manage.rst b/doc/source/cli/nova-manage.rst
index 8995c570b3a3..e1ce77cdfc2f 100644
--- a/doc/source/cli/nova-manage.rst
+++ b/doc/source/cli/nova-manage.rst
@@ -1508,6 +1508,7 @@ within an environment.
 See Also
 ========
 
+:doc:`nova-policy(1) <nova-policy>`,
 :doc:`nova-status(1) <nova-status>`
 
 Bugs
diff --git a/doc/source/cli/nova-novncproxy.rst b/doc/source/cli/nova-novncproxy.rst
index 03dcca0f228f..f2df84e2ccae 100644
--- a/doc/source/cli/nova-novncproxy.rst
+++ b/doc/source/cli/nova-novncproxy.rst
@@ -80,7 +80,6 @@ Files
 =====
 
 * ``/etc/nova/nova.conf``
-* ``/etc/nova/policy.yaml``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 
diff --git a/doc/source/cli/nova-policy.rst b/doc/source/cli/nova-policy.rst
new file mode 100644
index 000000000000..480c3b2d983f
--- /dev/null
+++ b/doc/source/cli/nova-policy.rst
@@ -0,0 +1,94 @@
+===========
+nova-policy
+===========
+
+.. program:: nova-policy
+
+Synopsis
+========
+
+::
+
+  nova-policy [<options>...]
+
+Description
+===========
+
+:program:`nova-policy` is a tool that allows for inspection of policy file
+configuration. It provides a way to identify the actions available for a user.
+It does not require a running deployment: validation runs against the policy
+files typically located at ``/etc/nova/policy.yaml`` and in the
+``/etc/nova/policy.d`` directory. These paths are configurable via the
+``[oslo_config] policy_file`` and ``[oslo_config] policy_dirs`` configuration
+options, respectively.
+
+Options
+=======
+
+.. rubric:: General options
+
+.. include:: opts/common.rst
+
+.. rubric:: User options
+
+.. option:: --os-roles <auth-roles>
+
+    Defaults to ``$OS_ROLES``.
+
+.. option:: --os-tenant-id <auth-tenant-id>
+
+    Defaults to ``$OS_TENANT_ID``.
+
+.. option:: --os-user-id <auth-user-id>
+
+    Defaults to ``$OS_USER_ID``.
+
+.. rubric:: Debugger options
+
+.. include:: opts/debugger.rst
+
+Commands
+========
+
+policy check
+------------
+
+::
+
+    nova-policy policy check [-h] [--api-name <name>]
+                             [--target <target> [<target>...]
+
+Prints all passing policy rules for the given user.
+
+.. rubric:: Options
+
+.. option:: --api-name <name>
+
+    Return only the passing policy rules containing the given API name.
+    If unspecified, all passing policy rules will be returned.
+
+.. option:: --target <target> [<target>...]
+
+    The target(s) against which the policy rule authorization will be tested.
+    The available targets are: ``project_id``, ``user_id``, ``quota_class``,
+    ``availability_zone``, ``instance_id``.
+    When ``instance_id`` is used, the other targets will be overwritten.
+    If unspecified, the given user will be considered as the target.
+
+Files
+=====
+
+* ``/etc/nova/nova.conf``
+* ``/etc/nova/policy.yaml``
+* ``/etc/nova/policy.d/``
+
+See Also
+========
+
+:doc:`nova-manage(1) <nova-manage>`,
+:doc:`nova-status(1) <nova-status>`
+
+Bugs
+====
+
+* Nova bugs are managed at `Launchpad <https://bugs.launchpad.net/nova>`__
diff --git a/doc/source/cli/nova-scheduler.rst b/doc/source/cli/nova-scheduler.rst
index 41d3671d5d41..dd5cd468725e 100644
--- a/doc/source/cli/nova-scheduler.rst
+++ b/doc/source/cli/nova-scheduler.rst
@@ -33,7 +33,6 @@ Files
 =====
 
 * ``/etc/nova/nova.conf``
-* ``/etc/nova/policy.yaml``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 
diff --git a/doc/source/cli/nova-serialproxy.rst b/doc/source/cli/nova-serialproxy.rst
index 1d5d8bf0d993..f362b1b951ec 100644
--- a/doc/source/cli/nova-serialproxy.rst
+++ b/doc/source/cli/nova-serialproxy.rst
@@ -53,7 +53,6 @@ Files
 =====
 
 * ``/etc/nova/nova.conf``
-* ``/etc/nova/policy.yaml``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 
diff --git a/doc/source/cli/nova-spicehtml5proxy.rst b/doc/source/cli/nova-spicehtml5proxy.rst
index 162a2f4101b9..65173c8d336c 100644
--- a/doc/source/cli/nova-spicehtml5proxy.rst
+++ b/doc/source/cli/nova-spicehtml5proxy.rst
@@ -54,7 +54,6 @@ Files
 =====
 
 * ``/etc/nova/nova.conf``
-* ``/etc/nova/policy.yaml``
 * ``/etc/nova/rootwrap.conf``
 * ``/etc/nova/rootwrap.d/``
 
diff --git a/doc/source/cli/nova-status.rst b/doc/source/cli/nova-status.rst
index 96e9ae1258f6..6d50ccaf6828 100644
--- a/doc/source/cli/nova-status.rst
+++ b/doc/source/cli/nova-status.rst
@@ -151,7 +151,8 @@ Upgrade
 See Also
 ========
 
-:doc:`nova-manage(1) <nova-manage>`
+:doc:`nova-manage(1) <nova-manage>`,
+:doc:`nova-policy(1) <nova-policy>`
 
 Bugs
 ====
diff --git a/doc/source/conf.py b/doc/source/conf.py
index 7cf71beb57b0..edae3254d91c 100644
--- a/doc/source/conf.py
+++ b/doc/source/conf.py
@@ -98,6 +98,10 @@ _man_pages = [
         'nova-rootwrap',
         'Root wrapper daemon for the OpenStack Compute service.',
     ),
+    (
+        'nova-policy',
+        'Inspect policy configuration for the OpenStack Compute services.',
+    ),
     (
         'nova-scheduler',
         'Server for the OpenStack Compute scheduler service.',
diff --git a/nova/cmd/policy.py b/nova/cmd/policy.py
index dee995b12114..051983d102e0 100644
--- a/nova/cmd/policy.py
+++ b/nova/cmd/policy.py
@@ -62,24 +62,26 @@ class PolicyCommands(object):
         'project_id', 'user_id', 'quota_class', 'availability_zone',
         'instance_id']
 
-    @cmd_common.args('--api-name', dest='api_name', metavar='<API name>',
-                     help='Will return only passing policy rules containing '
-                          'the given API name.')
-    @cmd_common.args('--target', nargs='+', dest='target', metavar='<Target>',
-                     help='Will return only passing policy rules for the '
-                          'given target. The available targets are %s. When '
-                          '"instance_id" is used, the other targets will be '
-                          'overwritten.' % ','.join(_ACCEPTABLE_TARGETS))
+    @cmd_common.args(
+        '--api-name', dest='api_name', metavar='<name>',
+        help=(
+            'Return only the passing policy rules containing the given API '
+            'name. If unspecified, all passing policy rules will be returned.'
+        ),
+    )
+    @cmd_common.args(
+        '--target', nargs='+', dest='target', metavar='<target>',
+        help=(
+            "The target(s) against which the policy rule authorization will "
+            "be tested. The available targets are: %s. When 'instance_id' is "
+            "used, the other targets will be overwritten. If unspecified, the "
+            "given user will be considered the target." % ', '.join(
+                _ACCEPTABLE_TARGETS
+            )
+        ),
+    )
     def check(self, api_name=None, target=None):
-        """Prints all passing policy rules for the given user.
-
-        :param api_name: If None, all passing policy rules will be printed,
-                         otherwise, only passing policies that contain the
-                         given api_name in their names.
-        :param target: The target against which the policy rule authorization
-                       will be tested. If None, the given user will be
-                       considered as the target.
-        """
+        """Prints all passing policy rules for the given user."""
         context = self._get_context()
         api_name = api_name or ''
         target = self._get_target(context, target)
@@ -104,7 +106,7 @@ class PolicyCommands(object):
         policy authorization.
 
         :returns: None if the given target is None, otherwise returns a proper
-                  authorization target.
+            authorization target.
         :raises nova.exception.InvalidAttribute: if a key in the given target
             is not an acceptable.
         :raises nova.exception.InstanceNotFound: if 'instance_id' is given, and