diff --git a/filter_plugins/fedmsg.py b/filter_plugins/fedmsg.py
new file mode 100644
index 0000000000..c6a02b65f5
--- /dev/null
+++ b/filter_plugins/fedmsg.py
@@ -0,0 +1,25 @@
+import operator
+
+
+def invert_fedmsg_authz_policy(vars):
+    """ Given hostvars that map hosts -> topics, invert that
+    and return a dict that maps topics -> hosts.
+
+    Really, returns a list of tuples -- not a dict.
+    """
+
+    inverted = {}
+    for host in vars:
+        prefix = '.'.join([vars[host]['fedmsg_prefix'],
+                           vars[host]['fedmsg_env']])
+        fqdn = vars[host].get('fedmsg_fqdn', vars[host]['ansible_fqdn'])
+
+        for cert in vars[host].get('fedmsg_certs', []):
+            for topic in cert.get('can_send', []):
+                key = prefix + '.' + topic
+                inverted[key] = inverted.get(key, [])
+                inverted[key].append(cert['service'] + '-' + fqdn)
+
+    result = inverted.items()
+    result.sort(key=operator.itemgetter(0))
+    return result
diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 65be941446..43cc1ebe16 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -59,6 +59,10 @@ fedmsg_loglevel: INFO
 # active.
 fedmsg_active: False
 
+# Other defaults for fedmsg environments
+fedmsg_prefix: org.fedoraproject
+fedmsg_env: prod
+
 # By default, nodes don't backup any dbs on them unless they declare it.
 dbs_to_backup: []
 
diff --git a/inventory/group_vars/anitya-backend b/inventory/group_vars/anitya-backend
index f7d9cb5922..a4309f6853 100644
--- a/inventory/group_vars/anitya-backend
+++ b/inventory/group_vars/anitya-backend
@@ -29,6 +29,8 @@ fedmsg_certs:
   owner: root
   group: fedmsg
 
+fedmsg_prefix: org.release-monitoring
+fedmsg_env: prod
 
 # For the MOTD
 csi_security_category: Low
diff --git a/inventory/group_vars/anitya-frontend b/inventory/group_vars/anitya-frontend
index c64bda7744..8744aceabe 100644
--- a/inventory/group_vars/anitya-frontend
+++ b/inventory/group_vars/anitya-frontend
@@ -31,6 +31,8 @@ fedmsg_certs:
   owner: root
   group: apache
 
+fedmsg_prefix: org.release-monitoring
+fedmsg_env: prod
 
 # For the MOTD
 csi_security_category: Low
diff --git a/inventory/group_vars/badges-backend b/inventory/group_vars/badges-backend
index f00415f65e..af1e8f8596 100644
--- a/inventory/group_vars/badges-backend
+++ b/inventory/group_vars/badges-backend
@@ -20,6 +20,9 @@ fedmsg_certs:
 - service: fedbadges
   owner: root
   group: fedmsg
+  can_send:
+  - fedbadges.badge.award
+  - fedbadges.person.rank.advance
 
 
 # For the MOTD
diff --git a/inventory/group_vars/badges-backend-stg b/inventory/group_vars/badges-backend-stg
index f100c1b380..d336373f17 100644
--- a/inventory/group_vars/badges-backend-stg
+++ b/inventory/group_vars/badges-backend-stg
@@ -20,6 +20,9 @@ fedmsg_certs:
 - service: fedbadges
   owner: root
   group: fedmsg
+  can_send:
+  - fedbadges.badge.award
+  - fedbadges.person.rank.advance
 
 
 # For the MOTD
diff --git a/inventory/group_vars/badges-web b/inventory/group_vars/badges-web
index 336d376f7a..e289f0af2a 100644
--- a/inventory/group_vars/badges-web
+++ b/inventory/group_vars/badges-web
@@ -25,6 +25,10 @@ fedmsg_certs:
 - service: tahrir
   owner: root
   group: tahrir
+  can_send:
+  - fedbadges.badge.award
+  - fedbadges.person.rank.advance
+  - fedbadges.person.login.first
 
 
 # For the MOTD
diff --git a/inventory/group_vars/badges-web-stg b/inventory/group_vars/badges-web-stg
index 2bbe4a2e43..e3bc708355 100644
--- a/inventory/group_vars/badges-web-stg
+++ b/inventory/group_vars/badges-web-stg
@@ -25,6 +25,10 @@ fedmsg_certs:
 - service: tahrir
   owner: root
   group: tahrir
+  can_send:
+  - fedbadges.badge.award
+  - fedbadges.person.rank.advance
+  - fedbadges.person.login.first
 
 
 # For the MOTD
diff --git a/inventory/group_vars/pagure b/inventory/group_vars/pagure
index 0fb393c7a8..4e6fd82fbd 100644
--- a/inventory/group_vars/pagure
+++ b/inventory/group_vars/pagure
@@ -20,6 +20,9 @@ fedmsg_certs:
   owner: git
   group: apache
 
+fedmsg_prefix: io.pagure
+fedmsg_env: prod
+
 fas_client_groups: sysadmin-noc,sysadmin-web
 
 freezes: false
diff --git a/inventory/group_vars/pagure-stg b/inventory/group_vars/pagure-stg
index 152eea3872..3cdf12203d 100644
--- a/inventory/group_vars/pagure-stg
+++ b/inventory/group_vars/pagure-stg
@@ -20,6 +20,9 @@ fedmsg_certs:
   owner: git
   group: apache
 
+fedmsg_prefix: io.pagure
+fedmsg_env: stg
+
 fas_client_groups: sysadmin-noc,sysadmin-web
 
 freezes: false
diff --git a/inventory/group_vars/staging b/inventory/group_vars/staging
index 40f15b872d..cd9c3a2cb2 100644
--- a/inventory/group_vars/staging
+++ b/inventory/group_vars/staging
@@ -9,3 +9,6 @@ wildcard_cert_name: wildcard-2014.stg.fedoraproject.org
 
 # This only does anything if the host is not RHEL6
 collectd_graphite: True
+
+fedmsg_prefix: org.fedoraproject
+fedmsg_env: stg
diff --git a/roles/anitya/fedmsg/templates/base.py.j2 b/roles/anitya/fedmsg/templates/base.py.j2
index 6aa831b3e0..8a9bcee4c3 100644
--- a/roles/anitya/fedmsg/templates/base.py.j2
+++ b/roles/anitya/fedmsg/templates/base.py.j2
@@ -1,7 +1,6 @@
 config = dict(
-    topic_prefix="org.release-monitoring",
-
-    environment="prod",
+    topic_prefix="{{ fedmsg_prefix }}",
+    environment="{{ fedmsg_env }}",
 
     # This used to be set to 1 for safety, but it turns out it was
     # excessive.  It is the number of seconds that fedmsg should sleep
diff --git a/roles/fedmsg/base/templates/base.py.j2 b/roles/fedmsg/base/templates/base.py.j2
index 8a4427a221..c04852b0de 100644
--- a/roles/fedmsg/base/templates/base.py.j2
+++ b/roles/fedmsg/base/templates/base.py.j2
@@ -1,11 +1,7 @@
 config = dict(
     # Set this to dev if you're hacking on fedmsg or an app locally.
     # Set to stg or prod if running in the Fedora Infrastructure.
-    {% if env == 'staging' %}
-    environment="stg",
-    {% else %}
-    environment="prod",
-    {% endif %}
+    environment="{{ fedmsg_env }}",
 
     # Most hosts will be "false" here indicating that if they publish messages,
     # they will passively bind to ports and have other consuming services
diff --git a/roles/fedmsg/base/templates/policy.py.j2 b/roles/fedmsg/base/templates/policy.py.j2
index 3e2212cdee..85c0739cfa 100644
--- a/roles/fedmsg/base/templates/policy.py.j2
+++ b/roles/fedmsg/base/templates/policy.py.j2
@@ -216,6 +216,17 @@ config = dict(
         topic_prefix + "announce.announcement": [
             "announce-lockbox01.phx2.fedoraproject.org",
         ],
+
+        {% if env == 'staging' %}
+        # ** policy dynamically generated from inventory vars
+        # See ansible/filter_plugins/fedmsg.py for this inversion filter.
+        {% for topic, certs in hostvars | invert_fedmsg_authz_policy %}
+        "{{topic}}": [
+        {% for cert in certs %}
+            "{{ cert }}",{% endfor %}
+        ],
+        {% endfor %}
+        {% endif %}
     },
 )
 
diff --git a/roles/pagure/fedmsg/templates/base.py.j2 b/roles/pagure/fedmsg/templates/base.py.j2
index 21c9c79dc0..18b9e26afc 100644
--- a/roles/pagure/fedmsg/templates/base.py.j2
+++ b/roles/pagure/fedmsg/templates/base.py.j2
@@ -1,11 +1,11 @@
 config = dict(
-    topic_prefix="io.pagure",
 
     # Tell every call to `fedmsg.publish` to use the relay
     active=True,
     cert_prefix="pagure",
 
-    environment="prod",
+    topic_prefix="{{ fedmsg_prefix }}",
+    environment="{{ fedmsg_env }}",
 
     # This used to be set to 1 for safety, but it turns out it was
     # excessive.  It is the number of seconds that fedmsg should sleep