diff --git a/.travis.yml b/.travis.yml
index d497009..334d79b 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -9,5 +9,13 @@ matrix:
     env: PUPPET_GEM_VERSION="~> 3.0"
   - rvm: 2.0.0
     env: PUPPET_GEM_VERSION="~> 3.0"
+  - rvm: 1.9.3
+    env: PUPPET_GEM_VERSION="~> 3.7.0"
+  - rvm: 2.0.0
+    env: PUPPET_GEM_VERSION="~> 3.7.0"
+  - rvm: 1.9.3
+    env: PUPPET_GEM_VERSION="~> 3.7.0" TRUSTED_NODE_DATA="yes"
+  - rvm: 2.0.0
+    env: PUPPET_GEM_VERSION="~> 3.7.0" TRUSTED_NODE_DATA="yes"
 notifications:
   email: false
diff --git a/Gemfile b/Gemfile
old mode 100644
new mode 100755
index a260aef..4666a90
--- a/Gemfile
+++ b/Gemfile
@@ -3,7 +3,8 @@ source 'https://rubygems.org'
 
 group :development, :test do
   gem 'rake'
-  gem 'puppetlabs_spec_helper'
+  gem 'puppetlabs_spec_helper', '>= 0.7.0', :require => false
+  gem 'rspec-system-puppet', '~>2.0'
   gem 'puppet-lint'
 end
 
diff --git a/README.md b/README.md
index da8ec01..ad2ef8f 100644
--- a/README.md
+++ b/README.md
@@ -560,7 +560,8 @@ String: defaults to 'deny'.  The default actionpolicy to apply to the agent.
 ### `mcollective::actionpolicy::rule` defined type
 
 `mcollective::actionpolicy::rule` represents a single actionpolicy policy
-entry.
+entry. See the actionpolicy plugin [Policy File Format](https://github.com/puppetlabs/mcollective-actionpolicy-auth#policy-file-format)
+for specific restrictions on the values of these fields.
 
 #### Parameters
 
@@ -586,9 +587,11 @@ String: defaults to '*'.  What callerids should match this rule.
 
 String: defaults to '*'.  What actions should match this rule.
 
-##### `facts`
+##### `fact_filter`
 
-String: defaults to '*'.  What facts should match this rule.
+String: defaults to '*'.  What facts should match this rule. This can be either
+'*', a space-separated list of ``fact=value`` pairs (which match if every listed
+fact matches), or any valid [compound filter string](http://docs.puppetlabs.com/mcollective/reference/basic/basic_cli_usage.html#complex-compound-or-select-queries). This matches the "facts" field of the policy file lines.
 
 ##### `classes`
 
diff --git a/manifests/actionpolicy/rule.pp b/manifests/actionpolicy/rule.pp
index 2fb5360..8ed1e84 100644
--- a/manifests/actionpolicy/rule.pp
+++ b/manifests/actionpolicy/rule.pp
@@ -1,12 +1,13 @@
 # Define - mcollective::actionpolicy::rule
 define mcollective::actionpolicy::rule(
   $agent,
-  $action   = 'allow',
-  $callerid = '*',
-  $actions  = '*',
-  $facts = '*',
-  $classes = '*'
+  $action      = 'allow',
+  $callerid    = '*',
+  $actions     = '*',
+  $fact_filter = '*',
+  $classes     = '*'
 ) {
+  validate_string($fact_filter)
   datacat_fragment { "mcollective::actionpolicy::rule ${title}":
     target => "mcollective::actionpolicy ${agent}",
     data   => {
@@ -15,7 +16,7 @@
           'action'   => $action,
           'callerid' => $callerid,
           'actions'  => $actions,
-          'facts'    => $facts,
+          'facts'    => $fact_filter,
           'classes'  => $classes,
         },
       ],
diff --git a/spec/defines/mcollective__actionpolicy__rule_spec.rb b/spec/defines/mcollective__actionpolicy__rule_spec.rb
new file mode 100644
index 0000000..bb66508
--- /dev/null
+++ b/spec/defines/mcollective__actionpolicy__rule_spec.rb
@@ -0,0 +1,54 @@
+require 'spec_helper'
+
+describe 'mcollective::actionpolicy::rule', :type => :define do
+  context 'default-puppet' do
+    let(:title) { 'default-puppet' }
+    let(:params) do
+      {
+        :agent => 'puppet',
+      }
+    end
+
+    it {
+      should contain_datacat_fragment('mcollective::actionpolicy::rule default-puppet') \
+        .with_target('mcollective::actionpolicy puppet') \
+        .with_data({
+          'lines' => [
+            {
+              'action'   => 'allow',
+              'callerid' => '*',
+              'actions'  => '*',
+              'facts'    => '*',
+              'classes'  => '*',
+            },
+          ],
+        })
+      }
+  end
+
+  context 'facts-specified' do
+    let(:title) { 'default-puppet' }
+    let(:params) do
+      {
+        :agent       => 'puppet',
+        :fact_filter => 'environment=dev and !customer=acme',
+      }
+    end
+
+    it {
+      should contain_datacat_fragment('mcollective::actionpolicy::rule default-puppet') \
+        .with_target('mcollective::actionpolicy puppet') \
+        .with_data({
+          'lines' => [
+            {
+              'action'   => 'allow',
+              'callerid' => '*',
+              'actions'  => '*',
+              'facts'    => 'environment=dev and !customer=acme',
+              'classes'  => '*',
+            },
+          ],
+        })
+      }
+  end
+end
diff --git a/templates/actionpolicy.erb b/templates/actionpolicy.erb
index 893859d..0950e75 100644
--- a/templates/actionpolicy.erb
+++ b/templates/actionpolicy.erb
@@ -1,7 +1,7 @@
 policy default <%= @data['default'] %>
 <%
     lines = @data['lines'].collect do |line|
-      line.values_at(*%w{ action callerid actions facts classes }).join("\t")
+      line.values_at(*%w{ action callerid actions fact_filter classes }).join("\t")
     end
 -%>
 <%= lines.sort.join("\n") %>