diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml
index 0ed5b875..0607b547 100644
--- a/charts/shipyard/values.yaml
+++ b/charts/shipyard/values.yaml
@@ -361,12 +361,17 @@ conf:
     workflow_orchestrator:create_action: rule:admin_required
     workflow_orchestrator:get_action: rule:admin_required
     workflow_orchestrator:get_action_step: rule:admin_required
+    workflow_orchestrator:get_action_step_logs: rule:admin_required
     workflow_orchestrator:get_action_validation: rule:admin_required
     workflow_orchestrator:invoke_action_control: rule:admin_required
+    workflow_orchestrator:get_configdocs_status: rule:admin_required
     workflow_orchestrator:create_configdocs: rule:admin_required
     workflow_orchestrator:get_configdocs: rule:admin_required
     workflow_orchestrator:commit_configdocs: rule:admin_required
     workflow_orchestrator:get_renderedconfigdocs: rule:admin_required
+    workflow_orchestrator:list_workflows: rule:admin_required
+    workflow_orchestrator:get_workflow: rule:admin_required
+    workflow_orchestrator:get_site_statuses: rule:admin_required
   paste:
     app:shipyard-api:
       paste.app_factory: shipyard_airflow.shipyard_api:paste_start_shipyard
@@ -385,17 +390,6 @@ conf:
       service_type: armada
     drydock:
       service_type: physicalprovisioner
-      verify_site_query_interval: 10
-      verify_site_task_timeout: 60
-      prepare_site_query_interval: 10
-      prepare_site_task_timeout: 300
-      prepare_node_query_interval: 30
-      prepare_node_task_timeout: 1800
-      deploy_node_query_interval: 30
-      deploy_node_task_timeout: 3600
-      destroy_node_query_interval: 30
-      destroy_node_task_timeout: 900
-      cluster_join_check_backoff_time: 120
     promenade:
       service_type: kubernetesprovisioner
     keystone_authtoken:
@@ -416,6 +410,11 @@ conf:
       worker_port: 8793
     k8s_logs:
       ucp_namespace: 'ucp'
+    oslo_policy:
+      policy_file: /etc/shipyard/policy.yaml
+      # If non-existent rule is used, the request should be denied. The
+      # deny_all rule is hard coded in the policy.py code to allow no access.
+      policy_default_rule: deny_all
   airflow_config_file:
     path: /usr/local/airflow/airflow.cfg
   airflow:
diff --git a/src/bin/shipyard_airflow/shipyard_airflow/policy.py b/src/bin/shipyard_airflow/shipyard_airflow/policy.py
index 67ecac63..9d1dab08 100644
--- a/src/bin/shipyard_airflow/shipyard_airflow/policy.py
+++ b/src/bin/shipyard_airflow/shipyard_airflow/policy.py
@@ -49,13 +49,20 @@ class ShipyardPolicy(object):
     """
 
     RULE_ADMIN_REQUIRED = 'rule:admin_required'
+    RULE_DENY_ALL = 'rule:deny_all'
 
     # Base Policy
     base_rules = [
         policy.RuleDefault(
             'admin_required',
             'role:admin',
-            description='Actions requiring admin authority'),
+            description='Actions requiring admin authority'
+        ),
+        policy.RuleDefault(
+            'deny_all',
+            '!',
+            description='Rule to deny all access. Used for default denial'
+        ),
     ]
 
     # Orchestrator Policy
@@ -251,7 +258,7 @@ class ApiEnforcer(object):
                     authorized = True
             except:
                 # couldn't service the auth request
-                LOG.error(
+                LOG.exception(
                     "Error - Expectation Failed - action: %s", self.action)
                 raise ApiError(
                     title="Expectation Failed",
diff --git a/src/bin/shipyard_airflow/tests/unit/control/test.conf b/src/bin/shipyard_airflow/tests/unit/control/test.conf
index 584b92ad..9c906740 100644
--- a/src/bin/shipyard_airflow/tests/unit/control/test.conf
+++ b/src/bin/shipyard_airflow/tests/unit/control/test.conf
@@ -44,4 +44,6 @@ validation_read_timeout = 300
 service_type = shipyard
 [logging]
 named_log_levels = keystoneauth:ERROR,cheese:WARN,pumpkins:INFO
-
+[oslo_policy]
+policy_file = /etc/shipyard/policy.yaml
+policy_default_rule = deny_all
diff --git a/tools/resources/shipyard.conf b/tools/resources/shipyard.conf
index 7665e3a8..fcd4d813 100644
--- a/tools/resources/shipyard.conf
+++ b/tools/resources/shipyard.conf
@@ -13,18 +13,7 @@ upgrade_db = false
 [deckhand]
 service_type = deckhand
 [drydock]
-cluster_join_check_backoff_time = 120
-deploy_node_query_interval = 30
-deploy_node_task_timeout = 3600
-destroy_node_query_interval = 30
-destroy_node_task_timeout = 900
-prepare_node_query_interval = 30
-prepare_node_task_timeout = 1800
-prepare_site_query_interval = 10
-prepare_site_task_timeout = 300
 service_type = physicalprovisioner
-verify_site_query_interval = 10
-verify_site_task_timeout = 60
 [keystone_authtoken]
 auth_section = keystone_authtoken
 auth_type = password
@@ -53,3 +42,6 @@ validation_connect_timeout = 5
 validation_read_timeout = 300
 [shipyard]
 service_type = shipyard
+[oslo_policy]
+policy_file = /etc/shipyard/policy.yaml
+policy_default_rule = deny_all