diff --git a/policies/ducoterra.hcl b/policies/ducoterra.hcl
index c3d49e2..eba7899 100644
--- a/policies/ducoterra.hcl
+++ b/policies/ducoterra.hcl
@@ -14,10 +14,18 @@ path "dnet_inter/*" {
     capabilities = ["create", "read", "update", "delete", "list"]
 }
 
-path "ssh-client-signer/*" {
+path "ssh-client-signer/sign/*" {
     capabilities = ["create", "read", "update", "delete", "list"]
 }
 
-path "ssh-host-signer/*" {
+path "ssh-client-signer/roles/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "ssh-host-signer/sign/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "ssh-host-signer/roles/*" {
     capabilities = ["create", "read", "update", "delete", "list"]
 }