diff --git a/edbob/db/auth.py b/edbob/db/auth.py
index 7506cea..cf1dec8 100644
--- a/edbob/db/auth.py
+++ b/edbob/db/auth.py
@@ -93,6 +93,18 @@ def guest_role(session):
     return admin
 
 
+def grant_permission(role, permission, session=None):
+    """
+    Grants ``permission`` to ``role``.
+    """
+
+    if not session:
+        session = object_session(role)
+        assert session
+    if permission not in role.permissions:
+        role.permissions.append(permission)
+
+
 def has_permission(obj, perm, session=None):
     """
     Checks the given ``obj`` (which may be either a :class:`edbob.User`` or