diff --git a/app/models/manageiq/providers/openstack/cloud_manager/vm.rb b/app/models/manageiq/providers/openstack/cloud_manager/vm.rb
index 540280061..e33b0ddcc 100644
--- a/app/models/manageiq/providers/openstack/cloud_manager/vm.rb
+++ b/app/models/manageiq/providers/openstack/cloud_manager/vm.rb
@@ -3,6 +3,7 @@ class ManageIQ::Providers::Openstack::CloudManager::Vm < ManageIQ::Providers::Cl
   include_concern 'RemoteConsole'
   include_concern 'Resize'
   include_concern 'AssociateIp'
+  include_concern 'ManageSecurityGroups'
 
   supports :smartstate_analysis do
     feature_supported, reason = check_feature_support('smartstate_analysis')
diff --git a/app/models/manageiq/providers/openstack/cloud_manager/vm/manage_security_groups.rb b/app/models/manageiq/providers/openstack/cloud_manager/vm/manage_security_groups.rb
new file mode 100644
index 000000000..f262289cc
--- /dev/null
+++ b/app/models/manageiq/providers/openstack/cloud_manager/vm/manage_security_groups.rb
@@ -0,0 +1,46 @@
+module ManageIQ::Providers::Openstack::CloudManager::Vm::ManageSecurityGroups
+  extend ActiveSupport::Concern
+
+  included do
+    supports :add_security_group do
+      if cloud_tenant.nil? || cloud_tenant.security_groups.empty?
+        unsupported_reason_add(:add_security_group,
+                               _("There are no %{security_groups} available to this %{instance}.") % {
+                                 :security_groups => ui_lookup(:tables => "security_group"),
+                                 :instance        => ui_lookup(:table => "vm_cloud")
+                               })
+      end
+    end
+    supports :remove_security_group do
+      if floating_ips.empty?
+        unsupported_reason_add(:remove_security_group,
+                               _("This %{instance} does not have any associated %{security_groups}") % {
+                                 :instance        => ui_lookup(:table => 'vm_cloud'),
+                                 :security_groups => ui_lookup(:tables => 'security_group')
+                               })
+      end
+    end
+  end
+
+  def raw_add_security_group(security_group)
+    ext_management_system.with_provider_connection(compute_connection_options) do |connection|
+      connection.add_security_group(ems_ref, security_group)
+    end
+  rescue => err
+    _log.error "vm=[#{name}], security_group=[#{security_group}], error: #{err}"
+    raise MiqException::MiqOpenstackApiRequestError, err.to_s, err.backtrace
+  end
+
+  def raw_remove_security_group(security_group)
+    ext_management_system.with_provider_connection(compute_connection_options) do |connection|
+      connection.remove_security_group(ems_ref, security_group)
+    end
+  rescue => err
+    _log.error "vm=[#{name}], security_group=[#{security_group}], error: #{err}"
+    raise MiqException::MiqOpenstackApiRequestError, err.to_s, err.backtrace
+  end
+
+  def compute_connection_options
+    {:service => 'Compute', :tenant_name => cloud_tenant.name}
+  end
+end