diff --git a/armada/common/policies/base.py b/armada/common/policies/base.py
index 3b035367..c929cde8 100644
--- a/armada/common/policies/base.py
+++ b/armada/common/policies/base.py
@@ -18,13 +18,18 @@ RULE_ADMIN_REQUIRED = 'rule:admin_required'
 RULE_ADMIN_OR_TARGET_PROJECT = (
     'rule:admin_required or project_id:%(target.project.id)s')
 RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
+RULE_ADMIN_VIEWER = 'rule:admin_viewer'
 
 rules = [
-    policy.RuleDefault(name='admin_required', check_str='role:admin'),
+    policy.RuleDefault(
+        name='admin_required', check_str='role:admin or role:admin_ucp'),
     policy.RuleDefault(
         name='service_or_admin',
         check_str='rule:admin_required or rule:service_role'),
     policy.RuleDefault(name='service_role', check_str='role:service'),
+    policy.RuleDefault(
+        name='admin_viewer',
+        check_str='role:admin_ucp_viewer or {}'.format(RULE_SERVICE_OR_ADMIN)),
 ]
 
 
diff --git a/armada/common/policies/service.py b/armada/common/policies/service.py
index 00cdf753..34e5515d 100644
--- a/armada/common/policies/service.py
+++ b/armada/common/policies/service.py
@@ -25,7 +25,7 @@ armada_policies = [
         }]),
     policy.DocumentedRuleDefault(
         name=base.ARMADA % 'validate_manifest',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.RULE_ADMIN_VIEWER,
         description='Validate manifest',
         operations=[{
             'path': '/api/v1.0/validatedesign/',
diff --git a/armada/common/policies/tiller.py b/armada/common/policies/tiller.py
index b1d9d4c1..fe9b2e6e 100644
--- a/armada/common/policies/tiller.py
+++ b/armada/common/policies/tiller.py
@@ -17,7 +17,7 @@ from armada.common.policies import base
 tiller_policies = [
     policy.DocumentedRuleDefault(
         name=base.TILLER % 'get_status',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.RULE_ADMIN_VIEWER,
         description='Get Tiller status',
         operations=[{
             'path': '/api/v1.0/status/',
@@ -25,7 +25,7 @@ tiller_policies = [
         }]),
     policy.DocumentedRuleDefault(
         name=base.TILLER % 'get_release',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.RULE_ADMIN_VIEWER,
         description='Get Tiller release',
         operations=[{
             'path': '/api/v1.0/releases/',
diff --git a/charts/armada/values.yaml b/charts/armada/values.yaml
index 0cb11ff5..cb063355 100644
--- a/charts/armada/values.yaml
+++ b/charts/armada/values.yaml
@@ -184,16 +184,17 @@ conf:
     'pipeline:main':
       pipeline: authtoken armada-api
   policy:
-    admin_required: 'role:admin'
+    admin_required: 'role:admin or role:admin_ucp'
+    service_or_admin: 'rule:admin_required or rule:service_role'
+    service_role: 'role:service'
+    admin_viewer: 'role:admin_ucp_viewer or rule:service_or_admin'
     'armada:create_endpoints': 'rule:admin_required'
     'armada:rollback_release': 'rule:admin_required'
     'armada:test_manifest': 'rule:admin_required'
     'armada:test_release': 'rule:admin_required'
-    'armada:validate_manifest': 'rule:admin_required'
-    service_or_admin: 'rule:admin_required or rule:service_role'
-    service_role: 'role:service'
-    'tiller:get_released': 'rule:admin_required'
-    'tiller:get_status': 'rule:admin_required'
+    'armada:validate_manifest': 'rule:admin_viewer'
+    'tiller:get_release': 'rule:admin_viewer'
+    'tiller:get_status': 'rule:admin_viewer'
 
 pod:
   env:
diff --git a/etc/armada/policy.yaml b/etc/armada/policy.yaml
index 589ad21a..625caaa9 100644
--- a/etc/armada/policy.yaml
+++ b/etc/armada/policy.yaml
@@ -1,5 +1,5 @@
 #
-#"admin_required": "role:admin"
+#"admin_required": "role:admin or role:admin_ucp"
 
 #
 #"service_or_admin": "rule:admin_required or rule:service_role"
@@ -7,30 +7,33 @@
 #
 #"service_role": "role:service"
 
-# install manifest charts
-# POST  api/v1.0/apply/
+#
+#"admin_viewer": "role:admin_ucp_viewer or rule:service_or_admin"
+
+# Install manifest charts
+# POST  /api/v1.0/apply/
 #"armada:create_endpoints": "rule:admin_required"
 
-# rollback release
-# POST  api/v1.0/rollback/{release}
-#"armada:rollback_release": "rule:admin_required"
+# Validate manifest
+# POST  /api/v1.0/validatedesign/
+#"armada:validate_manifest": "rule:admin_viewer"
 
-# validate installed manifest
-# POST  /api/v1.0/validate/
-#"armada:validate_manifest": "rule:admin_required"
-
-# validate install manifest
+# Test release
 # GET  /api/v1.0/test/{release}
 #"armada:test_release": "rule:admin_required"
 
-# validate install manifest
+# Test manifest
 # POST  /api/v1.0/tests/
 #"armada:test_manifest": "rule:admin_required"
 
-# Get tiller status
-# GET  /api/v1.0/status/
-#"tiller:get_status": "rule:admin_required"
+# Rollback release
+# POST  /api/v1.0/rollback/{release}
+#"armada:rollback_release": "rule:admin_required"
 
-# Get tiller release
+# Get Tiller status
+# GET  /api/v1.0/status/
+#"tiller:get_status": "rule:admin_viewer"
+
+# Get Tiller release
 # GET  /api/v1.0/releases/
-#"tiller:get_release": "rule:admin_required"
+#"tiller:get_release": "rule:admin_viewer"