diff --git a/deployment/default-policies/entitlements.rego b/deployment/default-policies/entitlements.rego
index bd01636b84872da83053787f01082b13e7c073ef..ace327f92ad8e1c330cbbb3ecc45dce8fe6696c5 100644
--- a/deployment/default-policies/entitlements.rego
+++ b/deployment/default-policies/entitlements.rego
@@ -6,6 +6,7 @@ headers = {
     "Content-Type": "application/json",
     "data-partition-id":input.datapartitionid,
     "Authorization": sprintf("Bearer %v", [input.token]),
+    "x-user-id": input.xuserid,
     "Accept": "application/json"
 }
 
diff --git a/deployment/default-policies/legal.rego b/deployment/default-policies/legal.rego
index 44344feeb74874cebefddd323c555192cb4a55df..21f68e957d176c832ef794bd49d95c71d7f210bd 100644
--- a/deployment/default-policies/legal.rego
+++ b/deployment/default-policies/legal.rego
@@ -6,6 +6,7 @@ headers = {
     "Content-Type": "application/json",
     "data-partition-id":input.datapartitionid,
     "Authorization": sprintf("Bearer %v", [input.token]),
+    "x-user-id": input.xuserid,
     "Accept": "application/json"
 }
 
diff --git a/docs/docs/auth.md b/docs/docs/auth.md
index d9ca902f2b108c0452bda6f292457c8eb2b18790..58218762d130e914eefc57a08c4f7447350885f2 100644
--- a/docs/docs/auth.md
+++ b/docs/docs/auth.md
@@ -6,6 +6,8 @@ OSDU data platform has two additional service that are used together with policy
 
 [Legal](https://community.opengroup.org/osdu/platform/security-and-compliance/legal/-/blob/master/docs/tutorial/ComplianceService.md) service that provides additional attributes that can be used to conform to legal and organizational regulations.
 
+The data authorization policies define the requests to OSDU services and assertions required by OPA to evaluate user authorization. Entitlements service requires the `x-user-id` header and `data-partition-id` header for all calls to evaluate that a user belongs to a service group within a partition to be authorized to access a record or make a request, which is why these headers must be included in the policies api calls to OSDU services.
+
 Policy Service APIs are consistent with other OSDU APIs in a way that they require Bearer token as authorization header and data partition as `data-partition-id` header for all the calls. Similarly, user making the call needs to be in a necessary service group to be authorized to make the call.
 
 For policy service, the relevant service groups are `service.policy.user` and `service.policy.admin` (configurable in 
diff --git a/docs/docs/releasenotes.md b/docs/docs/releasenotes.md
index b6e8245f276c103fa797a0aac7cb97b08104f817..079d5f9cc6832f23ccec6424bc4a7eb0f239c73d 100644
--- a/docs/docs/releasenotes.md
+++ b/docs/docs/releasenotes.md
@@ -18,6 +18,7 @@ Policy Service v0.26.0 2024/04
 - Upgraded FastAPI to 0.109.2 for security fixes [CVE-2024-24762](https://nvd.nist.gov/vuln/detail/CVE-2024-24762)
 - Upgraded usage of SHA1 to SHA256. This includes detection of changes to policies, response headers and response json if SHA-1 was previously included. [124](https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/issues/124) and [125](https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/issues/125). This SHA-256 will also show up in pod audit logs and external audit logs when relevant.
 - Updated OPA recommended versions for [CVE-2024-24783](https://nvd.nist.gov/vuln/detail/CVE-2024-24783), [CVE-2023-6246](https://nvd.nist.gov/vuln/detail/CVE-2023-6246), and [CVE-2023-6779](https://nvd.nist.gov/vuln/detail/CVE-2023-6779).
+- Added x-user-id header to default data authorization rego policies to fix issue where OPA's requests to entitlements and legal service were not authorized. Issue [129](https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/issues/129).
 
 ### M23 Features
 - Separate Audit Log [113](https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/issues/113). See [logging](logging.md) for more details.