diff --git a/ckan/migration/versions/060_add_organisation_auth.py b/ckan/migration/versions/060_add_organisation_auth.py
new file mode 100644
index 00000000000..f3d67646d19
--- /dev/null
+++ b/ckan/migration/versions/060_add_organisation_auth.py
@@ -0,0 +1,33 @@
+from sqlalchemy import *
+from migrate import *
+
+def upgrade(migrate_engine):
+    metadata = MetaData()
+    metadata.bind = migrate_engine
+    migrate_engine.execute('''
+BEGIN;
+
+CREATE TABLE organisationrole (
+	id text NOT NULL,
+	name text
+);
+
+CREATE TABLE permission (
+	id text NOT NULL,
+	name text,
+	description text,
+	organisationrole_id text NOT NULL
+);
+
+ALTER TABLE organisationrole
+	ADD CONSTRAINT organisationrole_pkey PRIMARY KEY (id);
+
+ALTER TABLE permission
+	ADD CONSTRAINT permission_pkey PRIMARY KEY (id);
+
+ALTER TABLE permission
+	ADD CONSTRAINT permission_organisationrole_id_fkey FOREIGN KEY (organisationrole_id) REFERENCES organisationrole(id);
+
+COMMIT;
+    '''
+    )
diff --git a/ckan/model/__init__.py b/ckan/model/__init__.py
index 8faf0c5b169..a881ba460ee 100644
--- a/ckan/model/__init__.py
+++ b/ckan/model/__init__.py
@@ -89,6 +89,10 @@
     group_extra_table,
     GroupExtraRevision,
 )
+from organization_auth import (
+    OrganisationRole,
+    Permission
+)
 from package_extra import (
     PackageExtra,
     PackageExtraRevision,
diff --git a/ckan/model/organization_auth.py b/ckan/model/organization_auth.py
new file mode 100644
index 00000000000..e89a967c597
--- /dev/null
+++ b/ckan/model/organization_auth.py
@@ -0,0 +1,56 @@
+import datetime
+
+import sqlalchemy as sa
+from sqlalchemy import orm
+from sqlalchemy import types, Column, Table, ForeignKey, and_, func
+
+import meta
+import domain_object
+import types as _types
+import package as _package
+
+__all__ = ['OrganisationRole', 'Permission', 'permission_table',
+           'organisationrole_table']
+
+organisationrole_table = sa.Table(
+    'organisationrole', meta.metadata,
+    Column('id', types.UnicodeText, primary_key=True,
+           default=_types.make_uuid),
+    Column('name', types.UnicodeText),
+)
+
+permission_table = Table(
+    'permission', meta.metadata,
+    Column('id', types.UnicodeText, primary_key=True,
+           default=_types.make_uuid),
+    Column('name', types.UnicodeText),
+    Column('description', types.UnicodeText),
+    Column('organisationrole_id', types.UnicodeText,
+           ForeignKey('organisationrole.id'), nullable=False),
+)
+
+
+class OrganisationRole(domain_object.DomainObject):
+
+    @classmethod
+    def get(cls, name):
+        return meta.Session.query(OrganisationRole).filter(
+            OrganisationRole.name == name).first()
+
+
+class Permission(domain_object.DomainObject):
+
+    @classmethod
+    def get(cls, name):
+        return meta.Session.query(Permission).filter(
+            Permission.name == name).first()
+
+
+meta.mapper(Permission, permission_table, properties={
+    'role': orm.relation(OrganisationRole)
+})
+
+meta.mapper(OrganisationRole, organisationrole_table,
+            properties={'permissions':
+                        orm.relation(Permission,
+                                     backref=orm.backref('permission'))})