diff --git a/scm-core/src/main/java/sonia/scm/security/Permission.java b/scm-core/src/main/java/sonia/scm/security/Permission.java
new file mode 100644
index 0000000000..ef6b350c09
--- /dev/null
+++ b/scm-core/src/main/java/sonia/scm/security/Permission.java
@@ -0,0 +1,12 @@
+package sonia.scm.security;
+
+import com.github.sdorra.ssp.PermissionObject;
+import com.github.sdorra.ssp.StaticPermissions;
+
+@StaticPermissions(
+  value = "permission",
+  permissions = {},
+  globalPermissions = {"list", "assign"}
+)
+public interface Permission extends PermissionObject {
+}
diff --git a/scm-webapp/src/main/java/sonia/scm/security/DefaultSecuritySystem.java b/scm-webapp/src/main/java/sonia/scm/security/DefaultSecuritySystem.java
index a8a9cc7f8b..26bf704775 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/DefaultSecuritySystem.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/DefaultSecuritySystem.java
@@ -126,7 +126,7 @@ public class DefaultSecuritySystem implements SecuritySystem
   @Override
   public void addPermission(AssignedPermission permission)
   {
-    assertIsAdmin();
+    assertHasPermission();
     validatePermission(permission);
 
     String id = store.put(permission);
@@ -149,7 +149,7 @@ public class DefaultSecuritySystem implements SecuritySystem
   @Override
   public void deletePermission(AssignedPermission permission)
   {
-    assertIsAdmin();
+    assertHasPermission();
     boolean deleted = deletePermissions(sap -> Objects.equal(sap.getName(), permission.getName())
       && Objects.equal(sap.isGroupPermission(), permission.isGroupPermission())
       && Objects.equal(sap.getPermission(), permission.getPermission()));
@@ -203,7 +203,7 @@ public class DefaultSecuritySystem implements SecuritySystem
   @Override
   public Collection<PermissionDescriptor> getAvailablePermissions()
   {
-    assertIsAdmin();
+    assertHasPermission();
 
     return availablePermissions;
   }
@@ -238,9 +238,9 @@ public class DefaultSecuritySystem implements SecuritySystem
    * Method description
    *
    */
-  private void assertIsAdmin()
+  private void assertHasPermission()
   {
-    SecurityUtils.getSubject().checkRole(Role.ADMIN);
+    PermissionPermissions.assign().check();
   }
 
   /**