We have this issue with the default policy, the issue for us is if the network is a shared network owned by an admin and the port within that network is owned by the user then the user isn't allowed to update port security.
Policy is
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",
One way to help mitigate this is to not send neutron the port_security_enabled attribute if this attribute is not being changed by the user
We have this issue with the default policy, the issue for us is if the network is a shared network owned by an admin and the port within that network is owned by the user then the user isn't allowed to update port security.
Policy is
"update_ port:port_ security_ enabled" : "rule:context_ is_advsvc or rule:admin_ or_network_ owner",
One way to help mitigate this is to not send neutron the port_security_ enabled attribute if this attribute is not being changed by the user