diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java
index 41aeb2c9..df8d7a4f 100644
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java
@@ -110,6 +110,7 @@ public class HsOfficePartnerEntity implements Stringifyable, BaseEntity<HsOffice
                         usingDefaultCase(),
                         directlyFetchedByDependsOnColumn(),
                         dependsOnColumn("partnerRelUuid"))
+                .toRole("partnerRel", AGENT).grantPermission(INSERT)
                 .createPermission(DELETE).grantedTo("partnerRel", OWNER)
                 .createPermission(UPDATE).grantedTo("partnerRel", ADMIN)
                 .createPermission(SELECT).grantedTo("partnerRel", TENANT)
diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md
index 162d81bf..46c06a9a 100644
--- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md
@@ -105,10 +105,12 @@ role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel:ADMIN -.-> role:partnerRel.holderPerson:ADMIN
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
 
 %% granting permissions to roles
 role:rbac.global:ADMIN ==> perm:partner:INSERT
+role:partnerRel:AGENT ==> perm:partner:INSERT
 role:partnerRel:OWNER ==> perm:partner:DELETE
 role:partnerRel:ADMIN ==> perm:partner:UPDATE
 role:partnerRel:TENANT ==> perm:partner:SELECT
diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql
index 4c8aab39..35501f4b 100644
--- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql
@@ -42,6 +42,7 @@ begin
     SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid    INTO newPartnerDetails;
     assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
 
+
     call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
     call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
     call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
@@ -200,6 +201,49 @@ create trigger z_new_hs_office_partner_grants_after_insert_tg
     for each row
 execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();
 
+-- granting INSERT permission to hs_office_relation ----------------------------
+
+/*
+    Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing hs_office_relation rows.
+ */
+do language plpgsql $$
+    declare
+        row hs_office_relation;
+    begin
+        call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising hs_office_relation rows');
+
+        FOR row IN SELECT * FROM hs_office_relation
+            -- unconditional for all rows in that table
+            LOOP
+                call rbac.grantPermissionToRole(
+                        rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
+                        hsOfficeRelationAGENT(row));
+            END LOOP;
+    end;
+$$;
+
+/**
+    Grants hs_office_partner INSERT permission to specified role of new hs_office_relation rows.
+*/
+create or replace function new_hsof_partner_grants_insert_to_hsof_relation_tf()
+    returns trigger
+    language plpgsql
+    strict as $$
+begin
+    -- unconditional for all rows in that table
+        call rbac.grantPermissionToRole(
+            rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
+            hsOfficeRelationAGENT(NEW));
+    -- end.
+    return NEW;
+end; $$;
+
+-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
+create trigger z_new_hs_office_partner_grants_after_insert_tg
+    after insert on hs_office_relation
+    for each row
+execute procedure new_hsof_partner_grants_insert_to_hsof_relation_tf();
+
 
 -- ============================================================================
 --changeset InsertTriggerGenerator:hs_office_partner-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
@@ -218,6 +262,10 @@ begin
     if rbac.isGlobalAdmin() then
         return NEW;
     end if;
+    -- check INSERT permission via direct foreign key: NEW.partnerRelUuid
+    if rbac.hasInsertPermission(NEW.partnerRelUuid, 'hs_office_partner') then
+        return NEW;
+    end if;
 
     raise exception '[403] insert into hs_office_partner values(%) not allowed for current subjects % (%)',
             NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();