diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 266358f5d..23645c41e 100755
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -67,7 +67,8 @@ function configure_congress {
         # database_connection_url_postgresql returns URL with wrong prefix,
         # so we do a substitution here
         local db_connection_mysql=`database_connection_url_postgresql $CONGRESS_JSON_DB_NAME`
-        iniset $CONGRESS_CONF json_ingester db_connection ${db_connection_mysql/?*:\/\//postgresql:\/\/}
+        CONGRESS_JSON_DB_CONNECTION_URL=${db_connection_mysql/?*:\/\//postgresql:\/\/}
+        iniset $CONGRESS_CONF json_ingester db_connection $CONGRESS_JSON_DB_CONNECTION_URL
         iniset $CONGRESS_CONF json_ingester config_path "$CONGRESS_JSON_CONF_DIR"
         iniset $CONGRESS_CONF json_ingester config_reusables_path "$CONGRESS_JSON_CONF_REUSABLES_PATH"
 
@@ -297,6 +298,11 @@ function init_congress {
             configure_database_postgresql
         fi
         recreate_database_postgresql $CONGRESS_JSON_DB_NAME utf8
+        psql --set=ingester_role="$CONGRESS_JSON_INGESTER_ROLE" \
+             --set=user_role="$CONGRESS_JSON_USER_ROLE" \
+             --set=db_name="$CONGRESS_JSON_DB_NAME" \
+             $CONGRESS_JSON_DB_CONNECTION_URL \
+             -f $CONGRESS_DIR/scripts/jgress/setup_permissions.sql
     fi
     # Run Congress db migrations
     congress-db-manage --config-file $CONGRESS_CONF upgrade head
diff --git a/devstack/settings b/devstack/settings
index 6627bd658..1ad64ecfa 100644
--- a/devstack/settings
+++ b/devstack/settings
@@ -55,6 +55,8 @@ ENABLE_CONGRESS_JSON=$(trueorfalse False ENABLE_CONGRESS_JSON)
 CONGRESS_JSON_DB_NAME=${CONGRESS_JSON_DB_NAME:-congress_json}
 CONGRESS_JSON_CONF_DIR=$CONGRESS_CONF_DIR/json_ingesters
 CONGRESS_JSON_CONF_REUSABLES_PATH=$CONGRESS_CONF_DIR/config_reusables.yaml
+CONGRESS_JSON_USER_ROLE=${CONGRESS_JSON_USER_ROLE:-jgress_user}
+CONGRESS_JSON_INGESTER_ROLE=${CONGRESS_JSON_INGESTER_ROLE:-root}
 
 
 TEMPEST_DIR=$DEST/tempest
diff --git a/scripts/jgress/setup_permissions.sql b/scripts/jgress/setup_permissions.sql
new file mode 100644
index 000000000..a67d8ac68
--- /dev/null
+++ b/scripts/jgress/setup_permissions.sql
@@ -0,0 +1,13 @@
+--Sets up jgress user role and privileges
+-- Usage:
+--     $ psql --set=ingester_role=<ingester> --set=user_role=<user> --set=db_name=<name> -f setup_permissions.sql
+--
+-- Variables:
+--   ingester_role - name of the role used by jgress ingester
+--   user_role - name of the role for users writing & evaluating policy over
+--   db_name - name of the postgres database used for jgress ingestion
+
+CREATE ROLE :user_role LOGIN;
+ALTER DEFAULT PRIVILEGES FOR USER :ingester_role GRANT USAGE ON schemas TO :user_role;
+ALTER DEFAULT PRIVILEGES FOR USER :ingester_role GRANT SELECT ON tables TO :user_role;
+GRANT ALL PRIVILEGES ON DATABASE :db_name TO :user_role;