diff --git a/README b/README
index c9784a95..ce276d7b 100644
--- a/README
+++ b/README
@@ -34,6 +34,9 @@ REQUIREMENTS
 INSTALLATION
 ------------
 
+Before installing Islandora the XACML policies located in the policies folder
+should be copied into the Fedora global XACML policies folder. This will allow
+"authenticated users" in Drupal to access Fedora API-M functions.
 
 CONFIGURATION
 -------------
@@ -64,4 +67,4 @@ CONTACT
 
 
 SPONSORS
---------
\ No newline at end of file
+--------
diff --git a/policies/permit-apim-to-authenticated-user.xml b/policies/permit-apim-to-authenticated-user.xml
new file mode 100644
index 00000000..b6ecea1b
--- /dev/null
+++ b/policies/permit-apim-to-authenticated-user.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        PolicyId="permit-apim-to-authenticated-user"
+        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
+  <Description>note that other policies may provide exceptions to this broad policy.  This policy assumes api-m users have to be authenticated</Description>
+  <Target>
+    <Subjects>
+      <Subject>
+	<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticated user</AttributeValue>
+          <SubjectAttributeDesignator AttributeId="fedoraRole" MustBePresent="false"
+				      DataType="http://www.w3.org/2001/XMLSchema#string"/>
+	</SubjectMatch>
+      </Subject>
+    </Subjects>
+    <Resources>
+      <AnyResource/>
+    </Resources>
+    <Actions>
+      <Action>
+	<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:api-m</AttributeValue>
+          <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
+            AttributeId="urn:fedora:names:fedora:2.1:action:api"/>
+        </ActionMatch>
+      </Action>
+    </Actions>
+  </Target>
+  <Rule RuleId="1" Effect="Permit"/>
+</Policy>
diff --git a/policies/permit-upload-to-authenticated-user.xml b/policies/permit-upload-to-authenticated-user.xml
new file mode 100644
index 00000000..c69d63c6
--- /dev/null
+++ b/policies/permit-upload-to-authenticated-user.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        PolicyId="permit-upload-to-authenticated-user"
+        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
+  <Description></Description>
+  <Target>
+    <Subjects>
+      <Subject>
+        <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticated user</AttributeValue>
+          <SubjectAttributeDesignator AttributeId="fedoraRole" MustBePresent="false"
+            DataType="http://www.w3.org/2001/XMLSchema#string"/>
+        </SubjectMatch>
+      </Subject>
+    </Subjects>
+    <Resources>
+      <AnyResource/>
+    </Resources>
+    <Actions>
+     <Action>
+       <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-upload</AttributeValue>
+         <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
+           AttributeId="urn:fedora:names:fedora:2.1:action:id"/>
+       </ActionMatch>
+     </Action>
+    </Actions>
+  </Target>
+  <Rule RuleId="1" Effect="Permit"/>
+</Policy>