diff --git a/policies/consul_root/au/syd1/config/admin.yaml b/policies/consul_root/au/syd1/config/admin.yaml
new file mode 100644
index 0000000..e974120
--- /dev/null
+++ b/policies/consul_root/au/syd1/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure consul secret backend
+---
+rules:
+  - path: "consul_root/au/syd1/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/consul_root/au/syd1/roles/admin.yaml b/policies/consul_root/au/syd1/roles/admin.yaml
new file mode 100644
index 0000000..f7feaeb
--- /dev/null
+++ b/policies/consul_root/au/syd1/roles/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to manage consul secret backend roles
+---
+rules:
+  - path: "consul_root/au/syd1/roles/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kv/config/admin.yaml b/policies/kv/config/admin.yaml
new file mode 100644
index 0000000..f43cf73
--- /dev/null
+++ b/policies/kv/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure KV secret backend
+---
+rules:
+  - path: "kv/config"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki/au/syd1/config/admin.yaml b/policies/pki/au/syd1/config/admin.yaml
new file mode 100644
index 0000000..5965236
--- /dev/null
+++ b/policies/pki/au/syd1/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure pki/au/syd1 secret backend
+---
+rules:
+  - path: "pki/au/syd1/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki/au/syd1/issuer/admin.yaml b/policies/pki/au/syd1/issuer/admin.yaml
new file mode 100644
index 0000000..e21ee91
--- /dev/null
+++ b/policies/pki/au/syd1/issuer/admin.yaml
@@ -0,0 +1,11 @@
+# Allow access to read pki/au/syd1 issuers
+---
+rules:
+  - path: "pki/au/syd1/issuer/*"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki_int/config/admin.yaml b/policies/pki_int/config/admin.yaml
new file mode 100644
index 0000000..f63d28d
--- /dev/null
+++ b/policies/pki_int/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure pki_int secret backend
+---
+rules:
+  - path: "pki_int/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki_int/issuer/admin.yaml b/policies/pki_int/issuer/admin.yaml
new file mode 100644
index 0000000..3501baa
--- /dev/null
+++ b/policies/pki_int/issuer/admin.yaml
@@ -0,0 +1,11 @@
+# Allow access to read pki_int issuers
+---
+rules:
+  - path: "pki_int/issuer/*"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki_root/config/admin.yaml b/policies/pki_root/config/admin.yaml
new file mode 100644
index 0000000..42059e8
--- /dev/null
+++ b/policies/pki_root/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure pki_root secret backend
+---
+rules:
+  - path: "pki_root/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki_root/issuer/admin.yaml b/policies/pki_root/issuer/admin.yaml
new file mode 100644
index 0000000..bdb6a82
--- /dev/null
+++ b/policies/pki_root/issuer/admin.yaml
@@ -0,0 +1,11 @@
+# Allow access to read pki_root issuers
+---
+rules:
+  - path: "pki_root/issuer/*"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki_root/roles/admin.yaml b/policies/pki_root/roles/admin.yaml
new file mode 100644
index 0000000..7f66761
--- /dev/null
+++ b/policies/pki_root/roles/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to manage pki_root secret backend roles
+---
+rules:
+  - path: "pki_root/roles/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/rundeck/config/admin.yaml b/policies/rundeck/config/admin.yaml
new file mode 100644
index 0000000..2a63e98
--- /dev/null
+++ b/policies/rundeck/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure rundeck KV secret backend
+---
+rules:
+  - path: "rundeck/config"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/sshca/config/admin.yaml b/policies/sshca/config/admin.yaml
new file mode 100644
index 0000000..abac807
--- /dev/null
+++ b/policies/sshca/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure SSH CA secret backend
+---
+rules:
+  - path: "sshca/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault