diff --git a/packages/backend/src/services/database/SqliteDatabaseAccessService.js b/packages/backend/src/services/database/SqliteDatabaseAccessService.js
index a7bd9c0c..3485f421 100644
--- a/packages/backend/src/services/database/SqliteDatabaseAccessService.js
+++ b/packages/backend/src/services/database/SqliteDatabaseAccessService.js
@@ -42,7 +42,7 @@ class SqliteDatabaseAccessService extends BaseDatabaseAccessService {
         this.db = new Database(this.config.path);
 
         // Database upgrade logic
-        const TARGET_VERSION = 13;
+        const TARGET_VERSION = 14;
 
         if ( do_setup ) {
             this.log.noticeme(`SETUP: creating database at ${this.config.path}`);
@@ -62,6 +62,7 @@ class SqliteDatabaseAccessService extends BaseDatabaseAccessService {
                 '0013_protected-apps.sql',
                 '0014_share.sql',
                 '0015_group.sql',
+                '0016_group-permissions.sql',
             ].map(p => path_.join(__dirname, 'sqlite_setup', p));
             const fs = require('fs');
             for ( const filename of sql_files ) {
@@ -130,6 +131,10 @@ class SqliteDatabaseAccessService extends BaseDatabaseAccessService {
             upgrade_files.push('0015_group.sql');
         }
 
+        if ( user_version <= 13 ) {
+            upgrade_files.push('0016_group-permissions.sql');
+        }
+
         if ( upgrade_files.length > 0 ) {
             this.log.noticeme(`Database out of date: ${this.config.path}`);
             this.log.noticeme(`UPGRADING DATABASE: ${user_version} -> ${TARGET_VERSION}`);
diff --git a/packages/backend/src/services/database/sqlite_setup/0016_group-permissions.sql b/packages/backend/src/services/database/sqlite_setup/0016_group-permissions.sql
new file mode 100644
index 00000000..9f897442
--- /dev/null
+++ b/packages/backend/src/services/database/sqlite_setup/0016_group-permissions.sql
@@ -0,0 +1,31 @@
+CREATE TABLE `user_to_group_permissions` (
+    "user_id" INTEGER NOT NULL,
+    "group_id" INTEGER NOT NULL,
+    "permission" TEXT NOT NULL,
+    "extra" JSON DEFAULT NULL,
+
+    FOREIGN KEY("user_id") REFERENCES "user" ("id") ON DELETE CASCADE ON UPDATE CASCADE,
+    FOREIGN KEY("group_id") REFERENCES "group" ("id") ON DELETE CASCADE ON UPDATE CASCADE,
+    PRIMARY KEY ("user_id", "group_id", "permission")
+);
+
+CREATE TABLE "audit_user_to_group_permissions" (
+    "id" INTEGER PRIMARY KEY AUTOINCREMENT,
+
+    "user_id" INTEGER NOT NULL,
+    "user_id_keep" INTEGER DEFAULT NULL,
+
+    "group_id" INTEGER NOT NULL,
+    "group_id_keep" INTEGER DEFAULT NULL,
+
+    "permission" TEXT NOT NULL,
+    "extra" JSON DEFAULT NULL,
+
+    "action" TEXT DEFAULT NULL,
+    "reason" TEXT DEFAULT NULL,
+
+    "created_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    FOREIGN KEY("user_id") REFERENCES "user" ("id") ON DELETE SET NULL ON UPDATE CASCADE,
+    FOREIGN KEY("group_id") REFERENCES "group" ("id") ON DELETE SET NULL ON UPDATE CASCADE
+);