diff --git a/policies/remco/remco.hcl b/policies/remco/remco.hcl
new file mode 100644
index 0000000..9695ad6
--- /dev/null
+++ b/policies/remco/remco.hcl
@@ -0,0 +1,12 @@
+# Allow listing secret parent-child connections (as in UI hierarchy). Subdir
+# underneath 'kv' secrets engine will remain hidden though, user has to
+# manually open up
+# ${VAULT_ADDR}/ui/vault/secrets/kv/list/for_{{identity.groups.ids.GROUPID.name}}
+path "kv/metadata/for_{{identity.groups.ids.GROUPID.name}}/*" {
+    capabilities = ["list"]
+}
+
+# Grant read-only access to secrets
+path "kv/data/for_{{identity.groups.ids.GROUPID.name}}/*" {
+    capabilities = ["read"]
+}