diff --git a/authentic/export-roles.py b/authentic/export-roles.py
new file mode 100644
index 0000000..a242c0e
--- /dev/null
+++ b/authentic/export-roles.py
@@ -0,0 +1,33 @@
+import json
+
+from django_rbac.utils import get_role_model, get_ou_model, get_role_parenting_model, get_permission_model
+from authentic2.a2_rbac.models import RoleAttribute
+
+Role = get_role_model()
+RoleParenting = get_role_parenting_model()
+Permission = get_permission_model()
+Ou = get_ou_model()
+
+export = {'roles': []}
+
+def to_json(role, attributes=True):
+    # to put in Role::to_json() (at least in parts)
+    role_dict = role.to_json()
+    if role.service_id:
+        role_dict['service_slug'] = role.service.slug
+    if attributes:
+        role_dict['description'] = role.description
+        role_dict['attributes'] = {}
+        for attribute in RoleAttribute.objects.filter(role=role):
+            role_dict['attributes'][attribute.name] = {'kind': attribute.kind, 'value': attribute.value}
+    return role_dict
+
+for role in Role.objects.all():
+    role_dict = to_json(role)
+    role_dict['parents'] = []
+    export['roles'].append(role_dict)
+    qs = RoleParenting.objects.filter(child_id=role.id, direct=True)
+    for parenting in qs:
+        role_dict['parents'].append(to_json(parenting.parent, attributes=False))
+
+print json.dumps(export, indent=2)
diff --git a/authentic/import-roles.py b/authentic/import-roles.py
new file mode 100644
index 0000000..a4eebf2
--- /dev/null
+++ b/authentic/import-roles.py
@@ -0,0 +1,64 @@
+import json
+import sys
+
+from django_rbac.utils import get_role_model, get_ou_model, get_role_parenting_model, get_permission_model
+from authentic2.a2_rbac.models import RoleAttribute
+
+Role = get_role_model()
+RoleParenting = get_role_parenting_model()
+Permission = get_permission_model()
+Ou = get_ou_model()
+
+export = json.load(open(sys.argv[1]))
+
+def get_role(role_dict):
+    kwargs = {'slug': role_dict['slug']}
+    if role_dict['is_service']:
+        kwargs['service__slug'] = role_dict['service_slug']
+    else:
+        kwargs['service__isnull'] = True
+    if role_dict['ou__slug']:
+        kwargs['ou__slug'] = role_dict['ou__slug']
+    else:
+        kwargs['ou__isnull'] = True
+    return Role.objects.get(**kwargs)
+
+# first pass, create non technical roles
+for role_dict in export['roles']:
+    if role_dict['slug'].startswith('_'):
+        continue
+    assert not role_dict['is_service']
+    ou = Ou.objects.get(slug=role_dict['ou__slug'])
+    role, created = Role.objects.get_or_create(slug=role_dict['slug'], ou=ou)
+    role.name = role_dict['name']
+    role.description = role_dict['description']
+    role.uuid = role_dict['uuid']
+    role.save()
+    for attribute in role_dict['attributes']:
+        RoleAttribute.objects.update_or_create(
+            role=role, name=attribute,
+            defaults=role_dict['attributes'][attribute])
+
+# second pass, create hierarchy
+for role_dict in export['roles']:
+    if not role_dict['parents']:
+        continue
+    assert not role_dict['is_service']
+    kwargs = {}
+    if role_dict['ou__slug']:
+        kwargs['ou'] = Ou.objects.get(slug=role_dict['ou__slug'])
+    else:
+        kwargs['ou__isnull'] = True
+    try:
+        role = Role.objects.get(slug=role_dict['slug'], **kwargs)
+    except Role.DoesNotExist:
+        print 'missing role', role
+        continue
+
+    for parent in role_dict['parents']:
+        try:
+            parent_role = get_role(parent)
+        except Role.DoesNotExist:
+            print 'could not role', parent
+            continue
+        RoleParenting.objects.get_or_create(child=role, direct=True, parent=parent_role)