diff --git a/backend/src/database/schemas/rbac.ts b/backend/src/database/schemas/rbac.ts
new file mode 100644
index 0000000..56069bc
--- /dev/null
+++ b/backend/src/database/schemas/rbac.ts
@@ -0,0 +1,36 @@
+import { pgTable, varchar, timestamp, uuid, primaryKey, index } from 'drizzle-orm/pg-core';
+import { users } from './users';
+
+export const roles = pgTable('roles', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  name: varchar('name', { length: 64 }).notNull().unique(),
+  slug: varchar('slug', { length: 64 }).notNull().unique(),
+  description: varchar('description', { length: 128 }),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+}, (table) => ({
+  slugIdx: index('roles_slug_idx').on(table.slug),
+}));
+
+export const permissions = pgTable('permissions', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  name: varchar('name', { length: 64 }).notNull().unique(),
+  slug: varchar('slug', { length: 64 }).notNull().unique(),
+  description: varchar('description', { length: 128 }),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+}, (table) => ({
+  slugIdx: index('permissions_slug_idx').on(table.slug),
+}));
+
+export const rolesToPermissions = pgTable('roles_to_permissions', {
+  roleId: uuid('role_id').notNull().references(() => roles.id, { onDelete: 'cascade' }),
+  permissionId: uuid('permission_id').notNull().references(() => permissions.id, { onDelete: 'cascade' }),
+}, (t) => ({
+  pk: primaryKey({ columns: [t.roleId, t.permissionId] }),
+}));
+
+export const usersToRoles = pgTable('users_to_roles', {
+  userId: uuid('user_id').notNull().references(() => users.uuid, { onDelete: 'cascade' }),
+  roleId: uuid('role_id').notNull().references(() => roles.id, { onDelete: 'cascade' }),
+}, (t) => ({
+  pk: primaryKey({ columns: [t.userId, t.roleId] }),
+}));