diff --git a/include/upgrader/streams/core.sig b/include/upgrader/streams/core.sig
index 776ffc839a61c0b88c0387008deb5ea18c453bce..ffd1538e853ca6f5780cc554c6aaf40d9b013416 100644
--- a/include/upgrader/streams/core.sig
+++ b/include/upgrader/streams/core.sig
@@ -1 +1 @@
-1ee831c854fe9f35115a3e672916bb91
+c7c828356c88b462ba2e3e1437dca0df
diff --git a/include/upgrader/streams/core/1ee831c8-c7c82835.cleanup.sql b/include/upgrader/streams/core/1ee831c8-c7c82835.cleanup.sql
new file mode 100644
index 0000000000000000000000000000000000000000..0355df4757646be61acf5e727ed2761f233c38a1
--- /dev/null
+++ b/include/upgrader/streams/core/1ee831c8-c7c82835.cleanup.sql
@@ -0,0 +1,17 @@
+-- drop old permissions from group table
+ALTER TABLE `%TABLE_PREFIX%group`
+    DROP `group_enabled`,
+    DROP `can_create_tickets`,
+    DROP `can_edit_tickets`,
+    DROP `can_post_ticket_reply`,
+    DROP `can_delete_tickets`,
+    DROP `can_close_tickets`,
+    DROP `can_assign_tickets`,
+    DROP `can_transfer_tickets`,
+    DROP `can_ban_emails`,
+    DROP `can_manage_premade`,
+    DROP `can_manage_faq`,
+    DROP `can_view_staff_stats`;
+
+-- drop useless updated column
+ALTER TABLE  `%TABLE_PREFIX%team_member` DROP  `updated`;
diff --git a/include/upgrader/streams/core/1ee831c8-c7c82835.patch.sql b/include/upgrader/streams/core/1ee831c8-c7c82835.patch.sql
new file mode 100644
index 0000000000000000000000000000000000000000..4c886287491690966973a793386ffc19262b6e74
--- /dev/null
+++ b/include/upgrader/streams/core/1ee831c8-c7c82835.patch.sql
@@ -0,0 +1,41 @@
+/**
+ * @signature c7c828356c88b462ba2e3e1437dca0df
+ * @version v1.9.6
+ * @title Add role-based access
+ *
+ * This patch adds support for role based access to group and departments
+ *
+ */
+
+CREATE TABLE `%TABLE_PREFIX%role` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `flags` int(10) unsigned NOT NULL DEFAULT '1',
+  `name` varchar(64) DEFAULT NULL,
+  `notes` text,
+  `created` datetime NOT NULL,
+  `updated` datetime NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `name` (`name`)
+) DEFAULT CHARSET=utf8;
+
+ALTER TABLE  `%TABLE_PREFIX%group_dept_access`
+    ADD  `role_id` INT UNSIGNED NOT NULL DEFAULT  '0';
+
+ALTER TABLE  `%TABLE_PREFIX%groups`
+    ADD  `role_id` INT UNSIGNED NOT NULL DEFAULT  '0' AFTER  `group_id` ,
+    ADD  `flags` INT UNSIGNED NOT NULL DEFAULT  '1' AFTER  `role_id`,
+    CHANGE  `group_name`  `name` VARCHAR(120) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT  '',
+    CHANGE  `group_id`  `id` INT UNSIGNED NOT NULL AUTO_INCREMENT,
+    ADD INDEX (`role_id`);
+
+RENAME TABLE  `%TABLE_PREFIX%groups` TO  `%TABLE_PREFIX%group`;
+
+-- department changes
+ALTER TABLE  `%TABLE_PREFIX%department`
+    CHANGE  `dept_id`  `id` INT( 11 ) UNSIGNED NOT NULL AUTO_INCREMENT,
+    CHANGE  `dept_signature`  `signature` TEXT CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL,
+    CHANGE  `dept_name`  `name` VARCHAR( 128 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT  '';
+
+-- Finished with patch
+UPDATE `%TABLE_PREFIX%config`
+    SET `schema_signature`='c7c828356c88b462ba2e3e1437dca0df';
diff --git a/include/upgrader/streams/core/1ee831c8-c7c82835.task.php b/include/upgrader/streams/core/1ee831c8-c7c82835.task.php
new file mode 100644
index 0000000000000000000000000000000000000000..09bf7a6def9a4abc5f762c59d0b0fe8a16e2a3f4
--- /dev/null
+++ b/include/upgrader/streams/core/1ee831c8-c7c82835.task.php
@@ -0,0 +1,43 @@
+<?php
+class GroupRoles extends MigrationTask {
+
+    var $pmap = array(
+            'can_create_tickets'  => 'ticket.create',
+            'can_edit_tickets' => 'ticket.edit',
+            'can_post_ticket_reply' => 'ticket.reply',
+            'can_delete_tickets' => 'ticket.delete',
+            'can_close_tickets' => 'ticket.close',
+            'can_assign_tickets' => 'ticket.assign',
+            'can_transfer_tickets' => 'ticket.transfer',
+            'can_ban_emails' => 'emails.banlist',
+            'can_manage_premade' => 'kb.premade',
+            'can_manage_faq' => 'kb.faq',
+            'can_view_staff_stats' => 'stats.agents');
+
+    function run($max_time) {
+        global $cfg;
+        // Select existing groups and create roles matching the current
+        // settings
+        foreach (Group::objects() as $group) {
+            $ht=array(
+                    'flags=1',
+                    'name' => sprintf('%s %s', $group->getName(),
+                        __('Role')),
+                    'notes' => $group->getName()
+                    );
+            $perms = array();
+            foreach (self::$pmap as  $k => $v) {
+                if ($group->{$k})
+                    $perms[] = $v;
+            }
+
+            $ht['permissions'] = $perms;
+
+            $role = Role::__create($ht);
+            $group->role_id =  $role->getId();
+            $group->save();
+        }
+    }
+}
+
+return 'GroupRoles';