diff --git a/src/vault/policy-roots/impl/system-policy.service.ts b/src/vault/policy-roots/impl/system-policy.service.ts
index d8c94fc..6a16a25 100644
--- a/src/vault/policy-roots/impl/system-policy.service.ts
+++ b/src/vault/policy-roots/impl/system-policy.service.ts
@@ -47,6 +47,7 @@ export class SystemPolicyService implements PolicyRootService<undefined> {
       {group: VAULT_ROOT_SYSTEM, templateName: 'db-admin-super', data: {secertDbPath: 'db'}},
       {group: VAULT_ROOT_SYSTEM, templateName: 'isss-cdua-read'},
       {group: VAULT_ROOT_SYSTEM, templateName: 'isss-ci-read'},
+      {group: VAULT_ROOT_SYSTEM, templateName: 'oraapp-imborapp-read'},
       {group: VAULT_ROOT_SYSTEM, templateName: 'user-generic'},
       {group: VAULT_ROOT_SYSTEM, templateName: 'vault-sync'},
     ];
diff --git a/src/vault/templates/system/oraapp-imborapp-read.hcl.tpl b/src/vault/templates/system/oraapp-imborapp-read.hcl.tpl
new file mode 100644
index 0000000..af46117
--- /dev/null
+++ b/src/vault/templates/system/oraapp-imborapp-read.hcl.tpl
@@ -0,0 +1,10 @@
+# System policy
+# Scope: Users who need read access to the oraapp/imborapp credentials (e.g. to deploy fluent bit to Windows servers)
+
+path "groups/appdelivery/oraapp_imborapp" {
+  capabilities = ["read"]
+}
+
+path "groups/appdelivery/oraapp_imborapp" {
+  capabilities = ["read"]
+}