diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9d6c6a19c2c913291d8faa002de83c16c1d3cc57..1f945d7ec27004f61eff901bee41c721dca01707 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added ###
 
+- `utils/make_db` has new `grant-permission` command.
+
 ### Changed ###
 
 ### Deprecated ###
diff --git a/tests/test_utils.sh b/tests/test_utils.sh
index f75395838b55d6fe72588fb81646657abe169486..34f5e4a5afa63203f7555603a23940ce134aa20a 100755
--- a/tests/test_utils.sh
+++ b/tests/test_utils.sh
@@ -103,5 +103,7 @@ echo -n 'testing logging... '
 $UTILSPATH/log.sh "start"
 $UTILSPATH/log.sh "get" > /dev/null
 $UTILSPATH/log.sh "stop"
+$UTILSPATH/make_db grant-permission anonymous \
+                   '[{"grant":"true","priority":"true","permission":"*"}]'
 echo '[Ok]'
 echo '[Completed]'
diff --git a/utils/make_db b/utils/make_db
index 93a62ea2b9e6776a73b8298cbce1a54aa76e0f68..a9bac2f2ce79f71dca243b318989c9926435597a 100755
--- a/utils/make_db
+++ b/utils/make_db
@@ -3,7 +3,8 @@
 # ** header v3.0
 # This file is a part of the CaosDB Project.
 #
-# Copyright (C) 2019, 2020 Daniel Hornung <d.hornung@indiscale.com>
+# Copyright (C) 2021 Indiscale GmbH <info@indiscale.com>
+# Copyright (C) 2019, 2020, 2021 Daniel Hornung <d.hornung@indiscale.com>
 # Copyright (C) 2020 Timm Fitschen <t.fitschen@indiscale.com>
 # Copyright (C) 2020 Henrik tom Wörden <h.tomwoerden@indiscale.com>
 # Copyright (C) 2020 IndiScale <info@indiscale.com>
@@ -23,6 +24,10 @@
 #
 # ** end header
 
+# Although some sanity checks are performed, this script still allows lots of SQL injection
+# possibilities.
+
+
 set -e
 
 INSTALL_SQL_FILE="db_2_0.sql"
@@ -198,12 +203,50 @@ function _db_exists() {
 }
 
 
+# Grant the given permissions to the given role.
+#
+# Arguments
+# ---------
+# role : str
+# The role, may consist of alphanumerical letters plus `.`, `_`, `-`.  The role must exist in the
+# `roles` table.
+#
+# permissions : str
+# The permissions string.  May not contain single quotes, should be similar to:
+# [{"grant":"true","priority":"true","permission":"*"}]
+function grant-permission() {
+    role="$1"
+    permissions="$2"
+    if echo -n "$role" | grep -v -q "^[[:alnum:]._-]*$" ; then
+        echo "Role contains invalid character(s)!"
+        exit 1
+    fi
+    if [[ $permissions == "'" ]]; then
+        echo "Permissions string contains single quote!"
+        exit 1
+    fi
+
+    cmd="SELECT COUNT(1) from roles where name='${role}';"
+    count=$($MYSQL_CMD $(get_mysql_args) -AN -e "$cmd")
+    if [[ $count == "0" ]]; then
+        echo "Role not found!"
+        exit 1
+    fi
+
+    cmd="INSERT INTO permissions (role, permissions) VALUE ('${role}', '${permissions}')"
+    cmd+="ON DUPLICATE KEY UPDATE role='${role}', permissions='${permissions}'"
+    cmd+=";"
+    $MYSQL_CMD $(get_mysql_args) -e "$cmd"
+}
+
+
 case $1 in
     "drop") drop $2 ;;
     "grant") grant $2 ;;
+    "grant-permission") grant-permission $2 $3 ;; # Args: role, permissions
     "test") shift ; runtests $@ ;;
     "test-connection") test-connection ;;
     "install_db") install_db ;;
     "restore_db") restore_db $2 ;;
-    *) echo "Unknown action: $1"
+    *) echo "Unknown action: $1"; exit 32
 esac