diff --git a/barbican/common/policies/transportkeys.py b/barbican/common/policies/transportkeys.py
index 160e9a380..338560945 100644
--- a/barbican/common/policies/transportkeys.py
+++ b/barbican/common/policies/transportkeys.py
@@ -13,6 +13,8 @@
 from oslo_policy import policy
 
 
+_SYSTEM_ADMIN = "role:admin and system_scope:all"
+
 rules = [
     policy.DocumentedRuleDefault(
         name='transport_key:get',
@@ -28,8 +30,8 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='transport_key:delete',
-        check_str='rule:admin',
-        scope_types=[],
+        check_str=f'{_SYSTEM_ADMIN}',
+        scope_types=['system'],
         description='Delete a specific transport key.',
         operations=[
             {
@@ -52,8 +54,8 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='transport_keys:post',
-        check_str='rule:admin',
-        scope_types=[],
+        check_str=f'{_SYSTEM_ADMIN}',
+        scope_types=['system'],
         description='Create a new transport key.',
         operations=[
             {
diff --git a/releasenotes/notes/secure-rbac-transportkey-policy-3e904787694f8471.yaml b/releasenotes/notes/secure-rbac-transportkey-policy-3e904787694f8471.yaml
new file mode 100644
index 000000000..32a9282df
--- /dev/null
+++ b/releasenotes/notes/secure-rbac-transportkey-policy-3e904787694f8471.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Implement secure-rbac for transportkeys resource.
+security:
+  - |
+    The current policy allows users with the admin role to add or delete
+    transport keys.  This interface was only ever intended to be used by
+    system admins, and so it has been restricted using the new policy
+    to the system admin only (admins with system_scope:all).