diff --git a/config-dist.php b/config-dist.php
index b8bc56c1..3f914c31 100644
--- a/config-dist.php
+++ b/config-dist.php
@@ -172,3 +172,7 @@ Setting('FEATURE_FLAG_CHORES_ASSIGNMENTS', true);
 # Feature settings
 Setting('FEATURE_SETTING_STOCK_COUNT_OPENED_PRODUCTS_AGAINST_MINIMUM_STOCK_AMOUNT', true); // When set to true opened items will be counted as missing from stock when calculating if a product is below its minimum.
 Setting('FEATURE_FLAG_AUTO_TORCH_ON_WITH_CAMERA', true); // Enables the torch automaticaly in every camera barcode scanner.
+
+
+
+Setting('USER_CLASS', '\Grocy\Controllers\Users\DefaultUser');
\ No newline at end of file
diff --git a/controllers/Users/AllowedUser.php b/controllers/Users/AllowedUser.php
new file mode 100644
index 00000000..88e76ca3
--- /dev/null
+++ b/controllers/Users/AllowedUser.php
@@ -0,0 +1,14 @@
+<?php
+
+
+namespace Grocy\Controllers\Users;
+
+
+class AllowedUser extends User
+{
+
+    public function hasPermission(string $permission): bool
+    {
+        return true;
+    }
+}
\ No newline at end of file
diff --git a/controllers/Users/DefaultUser.php b/controllers/Users/DefaultUser.php
new file mode 100644
index 00000000..968727c5
--- /dev/null
+++ b/controllers/Users/DefaultUser.php
@@ -0,0 +1,32 @@
+<?php
+
+
+namespace Grocy\Controllers\Users;
+
+
+use Grocy\Services\DatabaseService;
+use LessQL\Result;
+
+class DefaultUser extends User
+{
+    /**
+     * @var \LessQL\Database|null
+     */
+    protected $db;
+
+    public function __construct()
+    {
+        $this->db = DatabaseService::getInstance()->GetDbConnection();
+
+    }
+
+    protected function getPermissions(): Result
+    {
+        return $this->db->permission_check()->where('user_id', GROCY_USER_ID);
+    }
+
+    public function hasPermission(string $permission): bool
+    {
+        return $this->getPermissions()->where('permission_name', $permission)->fetch() != null;
+    }
+}
\ No newline at end of file
diff --git a/controllers/Users/LockedUser.php b/controllers/Users/LockedUser.php
new file mode 100644
index 00000000..f325d24c
--- /dev/null
+++ b/controllers/Users/LockedUser.php
@@ -0,0 +1,14 @@
+<?php
+
+
+namespace Grocy\Controllers\Users;
+
+
+class LockedUser extends User
+{
+
+    public function hasPermission(string $permission): bool
+    {
+        return false;
+    }
+}
\ No newline at end of file
diff --git a/controllers/Users/PermissionMissingException.php b/controllers/Users/PermissionMissingException.php
new file mode 100644
index 00000000..5bbc616e
--- /dev/null
+++ b/controllers/Users/PermissionMissingException.php
@@ -0,0 +1,15 @@
+<?php
+
+namespace Grocy\Controllers\Users;
+
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\Exception\HttpForbiddenException;
+use Throwable;
+
+class PermissionMissingException extends HttpForbiddenException
+{
+    public function __construct(ServerRequestInterface $request, string $permission, ?Throwable $previous = null)
+    {
+        parent::__construct($request, 'Permission missing: ' . $permission, $previous);
+    }
+}
\ No newline at end of file
diff --git a/controllers/Users/User.php b/controllers/Users/User.php
new file mode 100644
index 00000000..e5484033
--- /dev/null
+++ b/controllers/Users/User.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace Grocy\Controllers\Users;
+
+abstract class User
+{
+    const PERMISSION_ADMIN = 'ADMIN';
+
+    public abstract function hasPermission(string $permission): bool;
+
+    public static function checkPermission($request, string ...$permissions): void
+    {
+        $user_class = GROCY_USER_CLASS;
+        $user = new $user_class();
+        assert($user instanceof User, 'Please check the Setting USER_CLASS: It should be an implementation of User');
+        foreach ($permissions as $permission) {
+            if (!$user->hasPermission($permission)) {
+                throw new PermissionMissingException($request, $permission);
+            }
+        }
+    }
+
+
+}
+
diff --git a/migrations/0111.sql b/migrations/0111.sql
new file mode 100644
index 00000000..e3a08b47
--- /dev/null
+++ b/migrations/0111.sql
@@ -0,0 +1,61 @@
+CREATE TABLE user_permissions
+(
+    id            INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT UNIQUE,
+    permission_id INTEGER NOT NULL,
+    user_id       INTEGER NOT NULL,
+    UNIQUE (user_id, permission_id)
+);
+
+CREATE TABLE permission_hierarchy
+(
+    id     INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT UNIQUE,
+    name   TEXT    NOT NULL UNIQUE,
+    /* if the user has the parent permission,
+ the user also has the child permission */
+    parent INTEGER NULL
+);
+
+INSERT INTO permission_hierarchy(name, parent)
+VALUES ('ADMIN', NULL);
+INSERT INTO user_permissions(permission_id, user_id)
+VALUES (last_insert_rowid(), (SELECT MIN(id) FROM users)); -- The first user (normally "admin") starts as ADMIN
+
+
+DROP VIEW IF EXISTS permission_tree;
+CREATE VIEW permission_tree
+AS
+WITH RECURSIVE perm AS (SELECT id AS root, id AS child, name, parent
+                        FROM permission_hierarchy
+                        UNION
+                        SELECT perm.root, ph.id, ph.name, ph.id
+                        FROM permission_hierarchy ph,
+                             perm
+                        WHERE ph.parent = perm.child
+)
+SELECT root AS id, name AS name
+FROM perm;
+
+DROP VIEW IF EXISTS permission_check;
+CREATE VIEW permission_check
+AS
+SELECT u.id    AS id, -- dummy for LessQL
+       u.id    AS user_id,
+       pt.name AS permission_name
+FROM permission_tree pt,
+     users u
+WHERE pt.id IN (SELECT permission_id FROM user_permissions sub_up WHERE sub_up.user_id = u.id);
+
+
+DROP VIEW IF EXISTS uihelper_permission;
+CREATE VIEW uihelper_permission
+AS
+SELECT ph.id     AS id,
+       u.id      AS user_id,
+       ph.name   AS permission_name,
+       ph.id     AS permission_id,
+       (ph.name IN
+        (SELECT pc.permission_name FROM permission_check pc WHERE pc.user_id = u.id)
+           )     AS has_permission,
+       ph.parent AS parent
+FROM users u,
+     permission_hierarchy ph;
\ No newline at end of file