diff --git a/barbican/api/controllers/secrets.py b/barbican/api/controllers/secrets.py
index 27b5a814b..a74ff40c7 100644
--- a/barbican/api/controllers/secrets.py
+++ b/barbican/api/controllers/secrets.py
@@ -260,6 +260,12 @@ class SecretController(controllers.ACLMixin):
             self.secret.id,
             suppress_exception=True
         )
+
+        # With ACL support, the user token project does not have to be same as
+        # project associated with secret. The lookup project_id needs to be
+        # derived from the secret's data considering authorization is already
+        # done.
+        external_project_id = self.secret.project.external_id
         plugin.delete_secret(self.secret, external_project_id)
         LOG.info('Deleted secret for project: %s', external_project_id)
 
diff --git a/releasenotes/notes/fix-story-2006978-aa5f2r9cqpfa0tm8.yaml b/releasenotes/notes/fix-story-2006978-aa5f2r9cqpfa0tm8.yaml
new file mode 100644
index 000000000..725925812
--- /dev/null
+++ b/releasenotes/notes/fix-story-2006978-aa5f2r9cqpfa0tm8.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixed Story #2006978:  An admin user now can delete other users secrets
+    by adjust the policy file.
+