diff --git a/scodoc.py b/scodoc.py
index 3a085227..87cc9677 100755
--- a/scodoc.py
+++ b/scodoc.py
@@ -7,8 +7,6 @@
 """
 
 
-from __future__ import print_function
-
 import os
 from pprint import pprint as pp
 import sys
@@ -16,14 +14,15 @@ import sys
 import click
 import flask
 from flask.cli import with_appcontext
+
 from app import create_app, cli, db
 from app import initialize_scodoc_database
 from app import clear_scodoc_cache
+from app import models
 
 from app.auth.models import User, Role, UserRole
-from app import models
 from app.models import ScoPreference
-
+from app.scodoc.sco_permissions import Permission
 from app.views import notes, scolar, absences
 import tools
 
@@ -45,6 +44,7 @@ def make_shell_context():
         "User": User,
         "Role": Role,
         "UserRole": UserRole,
+        "Permission": Permission,
         "notes": notes,
         "scolar": scolar,
         "ndb": ndb,
@@ -142,13 +142,59 @@ def user_password(username, password=None):  # user-password
         return 1
     u = User.query.filter_by(user_name=username).first()
     if not u:
-        sys.stderr.write("user_password: user {} does not exists".format(username))
+        sys.stderr.write(f"user_password: user {username} does not exists\n")
         return 1
 
     u.set_password(password)
     db.session.add(u)
     db.session.commit()
-    click.echo("changed password for user {}".format(u))
+    click.echo(f"changed password for user {u}")
+
+
+@app.cli.command()
+@click.argument("rolename")
+@click.option("-a", "--add", "addpermissionname")
+@click.option("-r", "--remove", "removepermissionname")
+def edit_role(rolename, addpermissionname=None, removepermissionname=None):  # edit-role
+    """Add [-a] and/or remove [-r] a permission to/from a role.
+    In ScoDoc, permissions are not associated to users but to roles.
+    Each user has a set of roles in each departement.
+
+    Example: `flask edit-role -a ScoEditApo Ens`
+    """
+    if addpermissionname:
+        try:
+            perm_to_add = Permission.get_by_name(addpermissionname)
+        except KeyError:
+            sys.stderr.write(
+                f"edit_role: permission {addpermissionname} does not exists\n"
+            )
+            return 1
+    else:
+        perm_to_add = None
+    if removepermissionname:
+        try:
+            perm_to_remove = Permission.get_by_name(removepermissionname)
+        except KeyError:
+            sys.stderr.write(
+                f"edit_role: permission {removepermissionname} does not exists\n"
+            )
+            return 1
+    else:
+        perm_to_remove = None
+    role = Role.query.filter_by(name=rolename).first()
+    if not role:
+        sys.stderr.write(f"edit_role: role {rolename} does not exists\n")
+        return 1
+    if perm_to_add:
+        role.add_permission(perm_to_add)
+        click.echo(f"adding permission {addpermissionname} to role {rolename}")
+    if perm_to_remove:
+        role.remove_permission(perm_to_remove)
+        click.echo(f"removing permission {removepermissionname} from role {rolename}")
+    if perm_to_add or perm_to_remove:
+        db.session.add(role)
+        db.session.commit()
 
 
 @app.cli.command()