diff --git a/tailbone/auth.py b/tailbone/auth.py
index 66deeff0..0a5bd903 100644
--- a/tailbone/auth.py
+++ b/tailbone/auth.py
@@ -209,6 +209,10 @@ class TailboneSecurityPolicy:
         return self.session_helper.forget(request, **kw)
 
     def permits(self, request, context, permission):
+        # nb. root user can do anything
+        if request.is_root:
+            return True
+
         config = request.registry.settings.get('rattail_config')
         app = config.get_app()
         auth = app.get_auth_handler()