diff --git a/deploy/polkit/50-decnet-workers.rules b/deploy/polkit/50-decnet-workers.rules
new file mode 100644
index 00000000..f9f2afaf
--- /dev/null
+++ b/deploy/polkit/50-decnet-workers.rules
@@ -0,0 +1,19 @@
+// Allow members of the 'decnet' group to manage DECNET systemd units
+// (start / stop / restart / reload) without a password prompt.
+//
+// Scope is locked to units matching `decnet-<name>.service` or the
+// `decnet.target` grouping unit. Any other unit is unaffected by this
+// rule and still goes through the default polkit policy.
+//
+// Install: /etc/polkit-1/rules.d/50-decnet-workers.rules
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.systemd1.manage-units") {
+        var unit = action.lookup("unit");
+        if (unit &&
+            /^decnet-[a-z]+\.service$|^decnet\.target$/.test(unit) &&
+            subject.isInGroup("decnet")) {
+            return polkit.Result.YES;
+        }
+    }
+});