diff --git a/ibm/service/iampolicy/resource_ibm_iam_authorization_policy.go b/ibm/service/iampolicy/resource_ibm_iam_authorization_policy.go
index 947cee9fbc..c1facb1f30 100644
--- a/ibm/service/iampolicy/resource_ibm_iam_authorization_policy.go
+++ b/ibm/service/iampolicy/resource_ibm_iam_authorization_policy.go
@@ -32,17 +32,17 @@ func ResourceIBMIAMAuthorizationPolicy() *schema.Resource {
 				Type:         schema.TypeString,
 				Optional:     true,
 				Computed:     true,
-				ExactlyOneOf: []string{"source_service_name", "subject_attributes"},
-				Description:  "The source service name",
 				ForceNew:     true,
+				AtLeastOneOf: []string{"source_service_name", "source_resource_group_id", "subject_attributes"},
+				Description:  "The source service name",
 			},
 
 			"target_service_name": {
 				Type:         schema.TypeString,
 				Optional:     true,
 				Computed:     true,
-				ExactlyOneOf: []string{"target_service_name", "resource_attributes"},
 				ForceNew:     true,
+				AtLeastOneOf: []string{"target_service_name", "target_resource_type", "resource_attributes"},
 				Description:  "The target service name",
 			},
 
@@ -126,7 +126,7 @@ func ResourceIBMIAMAuthorizationPolicy() *schema.Resource {
 				Computed:      true,
 				ForceNew:      true,
 				Description:   "Set subject attributes.",
-				ConflictsWith: []string{"source_resource_instance_id", "source_resource_group_id", "source_resource_type", "source_service_account"},
+				ConflictsWith: []string{"source_service_name", "source_resource_instance_id", "source_resource_group_id", "source_resource_type", "source_service_account"},
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"name": {
@@ -149,7 +149,7 @@ func ResourceIBMIAMAuthorizationPolicy() *schema.Resource {
 				Computed:      true,
 				ForceNew:      true,
 				Description:   "Set resource attributes.",
-				ConflictsWith: []string{"target_resource_instance_id", "target_resource_group_id", "target_resource_type"},
+				ConflictsWith: []string{"target_service_name", "target_resource_instance_id", "target_resource_group_id", "target_resource_type"},
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"name": {
@@ -249,13 +249,15 @@ func resourceIBMIAMAuthorizationPolicyCreate(d *schema.ResourceData, meta interf
 		}
 	} else {
 
-		sourceServiceName = d.Get("source_service_name").(string)
+		if name, ok := d.GetOk("source_service_name"); ok {
+			sourceServiceName = name.(string)
 
-		serviceNameSubjectAttribute := &iampolicymanagementv1.SubjectAttribute{
-			Name:  core.StringPtr("serviceName"),
-			Value: &sourceServiceName,
+			serviceNameSubjectAttribute := &iampolicymanagementv1.SubjectAttribute{
+				Name:  core.StringPtr("serviceName"),
+				Value: &sourceServiceName,
+			}
+			policySubject.Attributes = append(policySubject.Attributes, *serviceNameSubjectAttribute)
 		}
-		policySubject.Attributes = append(policySubject.Attributes, *serviceNameSubjectAttribute)
 
 		sourceServiceAccount := userDetails.UserAccount
 		if account, ok := d.GetOk("source_service_account"); ok {
@@ -304,6 +306,9 @@ func resourceIBMIAMAuthorizationPolicyCreate(d *schema.ResourceData, meta interf
 			if name == "serviceName" {
 				targetServiceName = value
 			}
+			if name == "resourceType" && targetServiceName == "" {
+				targetServiceName = "resource-controller"
+			}
 			at := iampolicymanagementv1.ResourceAttribute{
 				Name:     &name,
 				Value:    &value,
@@ -312,13 +317,15 @@ func resourceIBMIAMAuthorizationPolicyCreate(d *schema.ResourceData, meta interf
 			policyResource.Attributes = append(policyResource.Attributes, at)
 		}
 	} else {
-		targetServiceName = d.Get("target_service_name").(string)
-		serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
-			Name:     core.StringPtr("serviceName"),
-			Value:    core.StringPtr(targetServiceName),
-			Operator: core.StringPtr("stringEquals"),
+		if name, ok := d.GetOk("target_service_name"); ok {
+			targetServiceName = name.(string)
+			serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
+				Name:     core.StringPtr("serviceName"),
+				Value:    core.StringPtr(targetServiceName),
+				Operator: core.StringPtr("stringEquals"),
+			}
+			policyResource.Attributes = append(policyResource.Attributes, *serviceNameResourceAttribute)
 		}
-		policyResource.Attributes = append(policyResource.Attributes, *serviceNameResourceAttribute)
 
 		accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
 			Name:     core.StringPtr("accountId"),
@@ -342,6 +349,9 @@ func resourceIBMIAMAuthorizationPolicyCreate(d *schema.ResourceData, meta interf
 				Value: core.StringPtr(tType.(string)),
 			}
 			policyResource.Attributes = append(policyResource.Attributes, resourceTypeResourceAttribute)
+			if targetServiceName == "" {
+				targetServiceName = "resource-controller"
+			}
 		}
 
 		if tResGrpID, ok := d.GetOk("target_resource_group_id"); ok {
diff --git a/ibm/service/iampolicy/resource_ibm_iam_authorization_policy_test.go b/ibm/service/iampolicy/resource_ibm_iam_authorization_policy_test.go
index 7ff47f344c..fe5b7436ca 100644
--- a/ibm/service/iampolicy/resource_ibm_iam_authorization_policy_test.go
+++ b/ibm/service/iampolicy/resource_ibm_iam_authorization_policy_test.go
@@ -107,7 +107,7 @@ func TestAccIBMIAMAuthorizationPolicy_ResourceType(t *testing.T) {
 					testAccCheckIBMIAMAuthorizationPolicyExists("ibm_iam_authorization_policy.policy", conf),
 					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "source_service_name", "is"),
 					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "source_resource_type", "load-balancer"),
-					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "target_service_name", "cloudcerts"),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "target_service_name", "hs-crypto"),
 				),
 			},
 		},
@@ -154,6 +154,96 @@ func TestAccIBMIAMAuthorizationPolicy_ResourceAttributes(t *testing.T) {
 	})
 }
 
+func TestAccIBMIAMAuthorizationPolicy_SourceResourceGroupId(t *testing.T) {
+	var conf iampolicymanagementv1.PolicyTemplateMetaData
+	resourceName := "ibm_iam_authorization_policy.policy"
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acc.TestAccPreCheck(t) },
+		Providers:    acc.TestAccProviders,
+		CheckDestroy: testAccCheckIBMIAMAuthorizationPolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMIAMAuthorizationPolicySourceResourceGroupId(),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIBMIAMAuthorizationPolicyExists("ibm_iam_authorization_policy.policy", conf),
+					resource.TestCheckResourceAttrSet("ibm_iam_authorization_policy.policy", "id"),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "source_service_name", ""),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "target_service_name", "cloud-object-storage"),
+				),
+			},
+			{
+				ResourceName:            resourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"transaction_id"},
+			},
+		},
+	})
+}
+
+func TestAccIBMIAMAuthorizationPolicy_SourceResourceGroupId_ResourceAttributes(t *testing.T) {
+	var conf iampolicymanagementv1.PolicyTemplateMetaData
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acc.TestAccPreCheck(t) },
+		Providers:    acc.TestAccProviders,
+		CheckDestroy: testAccCheckIBMIAMAuthorizationPolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMIAMAuthorizationPolicySourceResourceGroupIdResourceAttributes(acc.Tg_cross_network_account_id, acc.Tg_cross_network_account_id),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIBMIAMAuthorizationPolicyExists("ibm_iam_authorization_policy.policy", conf),
+					resource.TestCheckResourceAttrSet("ibm_iam_authorization_policy.policy", "id"),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "source_service_name", ""),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "target_service_name", "cloud-object-storage"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccIBMIAMAuthorizationPolicy_TargetResourceType(t *testing.T) {
+	var conf iampolicymanagementv1.PolicyTemplateMetaData
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acc.TestAccPreCheck(t) },
+		Providers:    acc.TestAccProviders,
+		CheckDestroy: testAccCheckIBMIAMAuthorizationPolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMIAMAuthorizationPolicyTargetResourceType(),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIBMIAMAuthorizationPolicyExists("ibm_iam_authorization_policy.policy", conf),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "target_service_name", ""),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "source_service_name", "project"),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "target_resource_type", "resource-group"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccIBMIAMAuthorizationPolicy_TargetResourceTypeAndResourceAttributes(t *testing.T) {
+	var conf iampolicymanagementv1.PolicyTemplateMetaData
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acc.TestAccPreCheck(t) },
+		Providers:    acc.TestAccProviders,
+		CheckDestroy: testAccCheckIBMIAMAuthorizationPolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMIAMAuthorizationPolicyResourceTypeAndResourceAttributes(acc.Tg_cross_network_account_id, acc.Tg_cross_network_account_id),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIBMIAMAuthorizationPolicyExists("ibm_iam_authorization_policy.policy", conf),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "target_service_name", ""),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "source_service_name", "project"),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "target_resource_type", "resource-group"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccIBMIAMAuthorizationPolicy_With_Transaction_id(t *testing.T) {
 	var conf iampolicymanagementv1.PolicyTemplateMetaData
 
@@ -274,7 +364,7 @@ func testAccCheckIBMIAMAuthorizationPolicyResourceType() string {
 	resource "ibm_iam_authorization_policy" "policy" {
 		source_service_name  = "is"
 		source_resource_type = "load-balancer"
-		target_service_name  = "cloudcerts"
+		target_service_name  = "hs-crypto"
 		roles                = ["Reader"]
 	  }
 	`
@@ -368,3 +458,79 @@ func testAccCheckIBMIAMAuthorizationPolicyTransactionId() string {
 	  }
 	`
 }
+
+func testAccCheckIBMIAMAuthorizationPolicySourceResourceGroupId() string {
+	return fmt.Sprintf(`
+	  resource "ibm_iam_authorization_policy" "policy" {
+			source_resource_group_id    = "123-456-abc-def"
+			target_service_name         = "cloud-object-storage"
+			roles                       = ["Reader"]
+	  }
+
+	`)
+}
+
+func testAccCheckIBMIAMAuthorizationPolicySourceResourceGroupIdResourceAttributes(sAccountID, tAccountID string) string {
+
+	return fmt.Sprintf(`
+
+	resource "ibm_iam_authorization_policy" "policy" {
+		roles    = ["Reader"]
+		subject_attributes {
+			name   = "accountId"
+			value  = "%s"
+		}
+		subject_attributes {
+			name   = "resourceGroupId"
+			value  = "def-abc-456-123"
+		}
+
+		resource_attributes {
+			name   = "serviceName"
+			value  = "cloud-object-storage"
+		}
+		resource_attributes {
+			name   = "accountId"
+			value  = "%s"
+		}
+	}
+	`, sAccountID, tAccountID)
+}
+
+func testAccCheckIBMIAMAuthorizationPolicyTargetResourceType() string {
+	return `
+	resource "ibm_iam_authorization_policy" "policy" {
+		source_service_name = "project"
+		target_resource_type  = "resource-group"
+		roles                = ["Viewer"]
+	  }
+	`
+}
+
+func testAccCheckIBMIAMAuthorizationPolicyResourceTypeAndResourceAttributes(sAccountID, tAccountID string) string {
+
+	return fmt.Sprintf(`
+
+	resource "ibm_iam_authorization_policy" "policy" {
+		roles    = ["Viewer"]
+		subject_attributes {
+			name   = "accountId"
+			value  = "%s"
+		}
+		subject_attributes {
+			name   = "serviceName"
+			value  = "project"
+		}
+
+		resource_attributes {
+			name   = "resourceType"
+			value  = "resource-group"
+		}
+		resource_attributes {
+			name   = "accountId"
+			value  = "%s"
+		}
+
+	}
+	`, sAccountID, tAccountID)
+}
diff --git a/website/docs/d/iam_authorization_policies.html.markdown b/website/docs/d/iam_authorization_policies.html.markdown
index 68840df95d..90422aa000 100644
--- a/website/docs/d/iam_authorization_policies.html.markdown
+++ b/website/docs/d/iam_authorization_policies.html.markdown
@@ -38,12 +38,12 @@ In addition to all argument reference list, you can access the following attribu
   - `resources`- (List of objects) A nested block describes the resources in the policy.
 
     Nested scheme for `resources`:
-    - `source_service_account` - (Optional, Forces new resource, string) The account GUID of source service.
-    - `source_service_name` - (Required, Forces new resource, string) The source service name.
-    - `target_service_name` - (Required, Forces new resource, string) The target service name.
-    - `source_resource_instance_id` - (Optional, Forces new resource, string) The source resource instance id.
-    - `target_resource_instance_id` - (Optional, Forces new resource, string) The target resource instance id.
-    - `source_resource_type` - (Optional, Forces new resource, string) The resource type of source service.
-    - `target_resource_type` - (Optional, Forces new resource, string) The resource type of target service.
-    - `source_resource_group_id` - (Optional, Forces new resource, string) The source resource group id.
-    - `target_resource_group_id` - (Optional, Forces new resource, string) The target resource group id.
+    - `source_service_account` - (string) The account GUID of source service.
+    - `source_service_name` - (string) The source service name.
+    - `target_service_name` - (string) The target service name.
+    - `source_resource_instance_id` - (string) The source resource instance id.
+    - `target_resource_instance_id` - (string) The target resource instance id.
+    - `source_resource_type` - (string) The resource type of source service.
+    - `target_resource_type` - (string) The resource type of target service.
+    - `source_resource_group_id` - (string) The source resource group id.
+    - `target_resource_group_id` - (string) The target resource group id.
diff --git a/website/docs/r/iam_authorization_policy.html.markdown b/website/docs/r/iam_authorization_policy.html.markdown
index 16009a6486..2758bb8b9d 100644
--- a/website/docs/r/iam_authorization_policy.html.markdown
+++ b/website/docs/r/iam_authorization_policy.html.markdown
@@ -95,6 +95,93 @@ resource "ibm_iam_authorization_policy" "policy" {
 ```
 
 
+### Authorization policy between resource group and a target service
+
+```terraform
+resource "ibm_resource_group" "source_resource_group" {
+  name     = "123123"
+}
+
+
+resource "ibm_iam_authorization_policy" "policy" {
+  source_resource_group_id    = ibm_resource_group.source_resource_group.id
+  target_service_name         = "cloud-object-storage"
+  roles                       = ["Reader"]
+}
+
+```
+
+### Authorization policy between resource group and a target service using resource attributes
+
+```terraform
+
+resource "ibm_resource_group" "source_resource_group" {
+  name     = "123123"
+}
+
+resource "ibm_iam_authorization_policy" "policy" {
+    roles                  = [
+        "Reader",
+    ]
+
+    resource_attributes {
+        name     = "accountId"
+        operator = "stringEquals"
+        value    = "12345"
+    }
+    resource_attributes {
+        name     = "serviceName"
+        operator = "stringEquals"
+        value    = "cloud-object-storage"
+    }
+
+    subject_attributes {
+        name  = "accountId"
+        value = "12345"
+    }
+    subject_attributes {
+        name  = "resourceGroupId"
+        value = ibm_resource_group.source_resource_group.id
+    }
+}
+```
+
+### Authorization policy between source service and target resource type "resource-group"
+
+```terraform
+resource "ibm_iam_authorization_policy" "policy" {
+		source_service_name = "project"
+		target_resource_type  = "resource-group"
+		roles                = ["Viewer"]
+	  }
+```
+
+
+### Authorization policy between source service and target resource type "resource-group" using resource attributes
+
+```terraform
+resource "ibm_iam_authorization_policy" "policy" {
+		roles    = ["Viewer"]
+		subject_attributes {
+			name   = "accountId"
+			value  = "12345"
+		}
+		subject_attributes {
+			name   = "serviceName"
+			value  = "project"
+		}
+
+		resource_attributes {
+			name   = "resourceType"
+			value  = "resource-group"
+		}
+		resource_attributes {
+			name   = "accountId"
+			value  = "12345"
+		}
+	}
+```
+
 ### Authorization policy between two specific services.
 
 ```terraform
@@ -137,27 +224,30 @@ specific to a service `internet-svcs` use above `resource_attributes` format.<br
 
 ## Argument reference
 Review the argument references that you can specify for your resource.
+**Note:**
+At least one of the following subject attributes is required: `source_service_name`, `source_resource_group_id`, or `subject_attributes`.
+Additionally, at least one of the following resource attributes is required: `target_service_name`, `target_resource_type`, `resource_attributes`.
 
 - `description`  (Optional, String) The description of the Authorization Policy.
 - `roles` - (Required, list) The comma separated list of roles. For more information, about supported service specific roles, see  [IAM roles and actions](https://cloud.ibm.com/docs/account?topic=account-iam-service-roles-actions)
 
-- `source_service_account` - (Optional, Forces new resource, string) The account GUID of source service.**Note** Conflicts with `subject_attributes`.
-- `source_service_name` - (Required, Forces new resource, string) The source service name.**Note** Conflicts with `subject_attributes`.
-- `target_service_name` - (Required, Forces new resource, string) The target service name.**Note** Conflicts with `resource_attributes`.
-- `source_resource_instance_id` - (Optional, Forces new resource, string) The source resource instance id.**Note** Conflicts with `subject_attributes`.
-- `target_resource_instance_id` - (Optional, Forces new resource, string) The target resource instance id.**Note** Conflicts with `resource_attributes`.
-- `source_resource_type` - (Optional, Forces new resource, string) The resource type of source service.**Note** Conflicts with `subject_attributes`.
-- `target_resource_type` - (Optional, Forces new resource, string) The resource type of target service.**Note** Conflicts with `resource_attributes`.
-- `source_resource_group_id` - (Optional, Forces new resource, string) The source resource group id.**Note** Conflicts with `subject_attributes`.
-- `target_resource_group_id` - (Optional, Forces new resource, string) The target resource group id.**Note** Conflicts with `resource_attributes`.
-- `resource_attributes` - (Optional, Forces new resource, list) A nested block describing the resource attributes of this policy.**Note** Conflicts with `target_resource_instance_id`, `target_resource_group_id` and `target_resource_type`.
+- `source_service_account` - (Optional, Forces new resource, string) The account GUID of source service. **Note** Conflicts with `subject_attributes`.
+- `source_service_name` - (Optional, Forces new resource, string) The source service name. **Note** Conflicts with `subject_attributes`.
+- `target_service_name` - (Optional, Forces new resource, string) The target service name. **Note** Conflicts with `resource_attributes`.
+- `source_resource_instance_id` - (Optional, Forces new resource, string) The source resource instance id. **Note** Conflicts with `subject_attributes`.
+- `target_resource_instance_id` - (Optional, Forces new resource, string) The target resource instance id. **Note** Conflicts with `resource_attributes`.
+- `source_resource_type` - (Optional, Forces new resource, string) The resource type of source service. **Note** Conflicts with `subject_attributes`.
+- `target_resource_type` - (Optional, Forces new resource, string) The resource type of target service. **Note** Conflicts with `resource_attributes`.
+- `source_resource_group_id` - (Optional, Forces new resource, string) The source resource group id. **Note** Conflicts with `subject_attributes`.
+- `target_resource_group_id` - (Optional, Forces new resource, string) The target resource group id. **Note** Conflicts with `resource_attributes`.
+- `resource_attributes` - (Optional, Forces new resource, list) A nested block describing the resource attributes of this policy. **Note** Conflicts with `target_service_name`, `target_resource_instance_id`, `target_resource_group_id` and `target_resource_type`.
 
   Nested scheme for `resource_attributes`:
   - `name` - (Required, String) The name of an attribute. Supported values are `serviceName` , `serviceInstance` ,`resourceType` , `resourceGroupId` `accountId` and other service specific resource attributes.
   - `value` - (Required, String) The value of an attribute.
   - `operator` - (Optional, String) Operator of an attribute. The default value is `stringEquals`.
 
-- `subject_attributes` - (Optional, Forces new resource, list) A nested block describing the subject attributes of this policy.**Note** Conflicts with `source_resource_instance_id`, `source_resource_group_id` `source_resource_type` and `source_service_account`.
+- `subject_attributes` - (Optional, Forces new resource, list) A nested block describing the subject attributes of this policy.**Note** Conflicts with `source_service_name`, `source_resource_instance_id`, `source_resource_group_id` `source_resource_type` and `source_service_account`.
   
   Nested scheme for `subject_attributes`:
   - `name` - (Required, String) The name of an attribute. Supported values are `serviceName` , `serviceInstance` , `region` , `resource` , `resourceType` , `resourceGroupId` `accountId`.