diff --git a/README.md b/README.md
index 7884585..e2f419a 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ Refer to [config/vault.hcl](config/vault.hcl) for content.
 ## Configure
 
 Once Vault's initialized and with your `root` token in hand log in via the `token` auth method, make the following changes:
-* Add policies from [policies](policies) subdirectory into Vault
+* Add policies from [policies/role-administrator](policies/role-administrator) subdirectory into Vault
 * Create group `administrators`
 * Assign policies `administrator` and `auditor` to that group
 * Create one entity to represent yourself as an administrator
@@ -100,6 +100,12 @@ Get the Vault command-line client via [vaultproject.io/downloads](https://www.va
 
     From here on out it's just more of what you already did, feel free to make this fit your own approach.
 
+* Optionally from [policies/role-kv-writer/kv-writer.hcl](policies/role-kv-writer/kv-writer.hcl) load a policy that allows affected entities to create `kv` secrets, create new versions for existing secrets and to traverse the UI directory structure of secrets. Entities with this policy will not be able to read secrets nor see if versions exist at a given location.
+
+    Permission to also read/view secrets is commented out in the policy file in case you do need this feature.
+
+    Assign the policy to a group as needed.
+
 ## Clean-up
 
 If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your `root` token make sure that client's `~/.vault-token` file is deleted. It contains the verbatim `root` token.
diff --git a/policies/role-kv-writer/kv-writer.hcl b/policies/role-kv-writer/kv-writer.hcl
new file mode 100644
index 0000000..4bc8b15
--- /dev/null
+++ b/policies/role-kv-writer/kv-writer.hcl
@@ -0,0 +1,24 @@
+# Allow listing secret parent-child connections (as in UI hierarchy)
+path "kv/metadata/*"
+{
+  capabilities = ["list"]
+}
+
+# Allow creation of new secrets and writing new versions for existing ones
+path "kv/data/*"
+{
+  capabilities = ["create", "update"]
+}
+
+# Allow viewing secret metadata such as whether or not versions of a secrets
+# exist anf if so how many.
+# path "kv/metadata/*"
+# {
+#   capabilities = ["read"]
+# }
+
+# Allow seeing/retrieving plain-text secrets
+# path "kv/data/*"
+# {
+#   capabilities = ["read"]
+# }