Comment 3 for bug 1356679

The reason for such behavior is quite simple. When the policy engine starts to build rules to enforce it checks for each attribute of a to-be deleted resourse whether it is explicitly set. It's done by checking if an attribute is present and has a non-default value (https://github.com/openstack/neutron/blob/master/neutron/policy.py#L121). In your case with a network, such attributes are: provider:physical_network, provider:network_type and provider:segmentation_id.

Then, for each explicitly set attribute a rule is built. Rules that correspond to each attribute are listed in the policy.json file, but in case some of them are absent, they are replaced by a default rule. That is why, by setting a default rule to be "rule:admin_only", you made it impossible for a non-admin user to delete various resources. For example, if you add

delete_network:provider:network_type": "rule:admin_or_owner"
delete_network:provider:physical_network": "rule:admin_or_owner"
delete_network:provider:segmentation_id": "rule:admin_or_owner"

to your policy.json, then network delete will be successfull.

I will investigate, whether the current behaviour may cause problems, but for now I feel that forbidding a regular user to delete a resource which has admin-only attributes is quite logical.