The current policy enforcement occurs in Policy layer. As such, it is conceptually
tied to the objects implemented in the Glance architecture. A problem with this
design, which has only revealed itself as the v2 API has matured, is that operators
want to use policies to control who can make API calls (as they can with most other
OpenStack services). In Glance, however, policies directly affect the objects dealt
with internally by Glance, and only indirectly affect who can make API calls. This
makes it difficult for operators to configure Glance.

So proposal is to move the actual policy enforcement up to the API layer so that an
operator can, for example, easily restrict access to a particular call. Most of the
OpenStack projects have policy enforcements closer to API layer, so these efforts
will also put us more in-line with the current thinking of policy enforcement.