diff --git a/application/controllers/ConfigController.php b/application/controllers/ConfigController.php
index 73d40261c..0c89ebba8 100644
--- a/application/controllers/ConfigController.php
+++ b/application/controllers/ConfigController.php
@@ -32,9 +32,6 @@ class ConfigController extends ActionController
         ))->add('resources', array(
             'title' => $this->translate('Resources'),
             'url'   => 'config/resource'
-        ))->add('permissions', array(
-            'title' => $this->translate('Permissions'),
-            'url'   => 'permissions'
         ));
     }
 
diff --git a/application/controllers/PermissionsController.php b/application/controllers/PermissionsController.php
deleted file mode 100644
index a1b1bb8e2..000000000
--- a/application/controllers/PermissionsController.php
+++ /dev/null
@@ -1,150 +0,0 @@
-<?php
-// {{{ICINGA_LICENSE_HEADER}}}
-// {{{ICINGA_LICENSE_HEADER}}}
-
-use Icinga\Application\Config;
-use Icinga\Forms\ConfirmRemovalForm;
-use Icinga\Forms\Security\RoleForm;
-use Icinga\Web\Controller\ActionController;
-use Icinga\Web\Notification;
-use Icinga\Web\Widget;
-
-class PermissionsController extends ActionController
-{
-    public function init()
-    {
-        $this->view->tabs = Widget::create('tabs')->add('index', array(
-            'title' => $this->translate('Application'),
-            'url'   => 'config'
-        ))->add('authentication', array(
-            'title' => $this->translate('Authentication'),
-            'url'   => 'config/authentication'
-        ))->add('resources', array(
-            'title' => $this->translate('Resources'),
-            'url'   => 'config/resource'
-        ))->add('permissions', array(
-            'title' => $this->translate('Permissions'),
-            'url'   => 'permissions'
-        ));
-    }
-
-    public function indexAction()
-    {
-        $this->view->tabs->activate('permissions');
-        $this->view->roles = Config::app('roles', true);
-    }
-
-    public function newAction()
-    {
-        $role = new RoleForm(array(
-            'onSuccess' => function (RoleForm $role) {
-                $name = $role->getElement('name')->getValue();
-                $values = $role->getValues();
-                try {
-                    $role->add($name, $values);
-                } catch (InvalidArgumentException $e) {
-                    $role->addError($e->getMessage());
-                    return false;
-                }
-                if ($role->save()) {
-                    Notification::success(t('Role created'));
-                    return true;
-                }
-                return false;
-            }
-        ));
-        $role
-            ->setSubmitLabel($this->translate('Create Role'))
-            ->setIniConfig(Config::app('roles', true))
-            ->setRedirectUrl('permissions')
-            ->handleRequest();
-        $this->view->form = $role;
-    }
-
-    public function updateAction()
-    {
-        $name = $this->_request->getParam('role');
-        if (empty($name)) {
-            throw new Zend_Controller_Action_Exception(
-                sprintf($this->translate('Required parameter \'%s\' missing'), 'role'),
-                400
-            );
-        }
-        $role = new RoleForm();
-        $role->setSubmitLabel($this->translate('Update Role'));
-        try {
-            $role
-                ->setIniConfig(Config::app('roles', true))
-                ->load($name);
-        } catch (InvalidArgumentException $e) {
-            throw new Zend_Controller_Action_Exception(
-                $e->getMessage(),
-                400
-            );
-        }
-        $role
-            ->setOnSuccess(function (RoleForm $role) use ($name) {
-                $oldName = $name;
-                $name = $role->getElement('name')->getValue();
-                $values = $role->getValues();
-                try {
-                    $role->update($name, $values, $oldName);
-                } catch (InvalidArgumentException $e) {
-                    $role->addError($e->getMessage());
-                    return false;
-                }
-                if ($role->save()) {
-                    Notification::success(t('Role updated'));
-                    return true;
-                }
-                return false;
-            })
-            ->setRedirectUrl('permissions')
-            ->handleRequest();
-        $this->view->name = $name;
-        $this->view->form = $role;
-    }
-
-    public function removeAction()
-    {
-        $name = $this->_request->getParam('role');
-        if (empty($name)) {
-            throw new Zend_Controller_Action_Exception(
-                sprintf($this->translate('Required parameter \'%s\' missing'), 'role'),
-                400
-            );
-        }
-        $role = new RoleForm();
-        try {
-            $role
-                ->setIniConfig(Config::app('roles', true))
-                ->load($name);
-        } catch (InvalidArgumentException $e) {
-            throw new Zend_Controller_Action_Exception(
-                $e->getMessage(),
-                400
-            );
-        }
-        $confirmation = new ConfirmRemovalForm(array(
-            'onSuccess' => function (ConfirmRemovalForm $confirmation) use ($name, $role) {
-                try {
-                    $role->remove($name);
-                } catch (InvalidArgumentException $e) {
-                    Notification::error($e->getMessage());
-                    return false;
-                }
-                if ($role->save()) {
-                    Notification::success(t('Role removed'));
-                    return true;
-                }
-                return false;
-            }
-        ));
-        $confirmation
-            ->setSubmitLabel($this->translate('Remove Role'))
-            ->setRedirectUrl('permissions')
-            ->handleRequest();
-        $this->view->name = $name;
-        $this->view->form = $confirmation;
-    }
-}
diff --git a/application/forms/Security/RoleForm.php b/application/forms/Security/RoleForm.php
deleted file mode 100644
index 0fb53e858..000000000
--- a/application/forms/Security/RoleForm.php
+++ /dev/null
@@ -1,235 +0,0 @@
-<?php
-// {{{ICINGA_LICENSE_HEADER}}}
-// {{{ICINGA_LICENSE_HEADER}}}
-
-namespace Icinga\Forms\Security;
-
-use InvalidArgumentException;
-use LogicException;
-use Icinga\Application\Icinga;
-use Icinga\Forms\ConfigForm;
-use Icinga\Util\String;
-
-/**
- * Form for managing roles
- */
-class RoleForm extends ConfigForm
-{
-    /**
-     * Provided permissions by currently loaded modules
-     *
-     * @var array
-     */
-    protected $providedPermissions = array();
-
-    /**
-     * Provided restrictions by currently loaded modules
-     *
-     * @var array
-     */
-    protected $providedRestrictions = array();
-
-    /**
-     * (non-PHPDoc)
-     * @see \Icinga\Web\Form::init() For the method documentation.
-     */
-    public function init()
-    {
-        foreach (Icinga::app()->getModuleManager()->getLoadedModules() as $module) {
-            foreach ($module->getProvidedPermissions() as $permission) {
-                /** @var object $permission */
-                $this->providedPermissions[$permission->name] = $permission->name . ': ' . $permission->description;
-            }
-            foreach ($module->getProvidedRestrictions() as $restriction) {
-                /** @var object $restriction */
-                $this->providedRestrictions[$restriction->name] = $restriction->description;
-            }
-        }
-    }
-
-    /**
-     * (non-PHPDoc)
-     * @see \Icinga\Web\Form::createElements() For the method documentation.
-     */
-    public function createElements(array $formData = array())
-    {
-        $this->addElements(array(
-            array(
-                'text',
-                'name',
-                array(
-                    'required'      => true,
-                    'label'         => t('Role Name'),
-                    'description'   => t('The name of the role'),
-                    'ignore'        => true
-                ),
-            ),
-            array(
-                'textarea',
-                'users',
-                array(
-                    'label'         => t('Users'),
-                    'description'   => t('Comma-separated list of users that are assigned to the role')
-                ),
-            ),
-            array(
-                'textarea',
-                'groups',
-                array(
-                    'label'         => t('Groups'),
-                    'description'   => t('Comma-separated list of groups that are assigned to the role')
-                ),
-            ),
-            array(
-                'multiselect',
-                'permissions',
-                array(
-                    'label'         => t('Permissions Set'),
-                    'description'   => t('The permissions to grant. You may select more than one permission'),
-                    'multiOptions'  => $this->providedPermissions
-                )
-            )
-        ));
-        foreach ($this->providedRestrictions as $name => $description) {
-            $this->addElement(
-                'text',
-                $name,
-                array(
-                    'label'         => $name,
-                    'description'   => $description
-                )
-            );
-        }
-        return $this;
-    }
-
-    /**
-     * Load a role
-     *
-     * @param   string  $name           The name of the role
-     *
-     * @return  $this
-     *
-     * @throws  LogicException          If the config is not set
-     * @see     ConfigForm::setConfig() For setting the config.
-     */
-    public function load($name)
-    {
-        if (! isset($this->config)) {
-            throw new LogicException(sprintf('Can\'t load role \'%s\'. Config is not set', $name));
-        }
-        if (! $this->config->hasSection($name)) {
-            throw new InvalidArgumentException(sprintf(
-                t('Can\'t load role \'%s\'. Role does not exist'),
-                $name
-            ));
-        }
-        $role = $this->config->getSection($name)->toArray();
-        $role['permissions'] = ! empty($role['permissions'])
-            ? String::trimSplit($role['permissions'])
-            : null;
-        $role['name'] = $name;
-        $this->populate($role);
-        return $this;
-    }
-
-    /**
-     * Add a role
-     *
-     * @param   string  $name               The name of the role
-     * @param   array   $values
-     *
-     * @return  $this
-     *
-     * @throws  LogicException              If the config is not set
-     * @throws  InvalidArgumentException    If the role to add already exists
-     * @see     ConfigForm::setConfig()     For setting the config.
-     */
-    public function add($name, array $values)
-    {
-        if (! isset($this->config)) {
-            throw new LogicException(sprintf('Can\'t add role \'%s\'. Config is not set', $name));
-        }
-        if ($this->config->hasSection($name)) {
-            throw new InvalidArgumentException(sprintf(
-                t('Can\'t add role \'%s\'. Role already exists'),
-                $name
-            ));
-        }
-        $this->config->setSection($name, $values);
-        return $this;
-    }
-
-    /**
-     * Remove a role
-     *
-     * @param   string  $name               The name of the role
-     *
-     * @return  $this
-     *
-     * @throws  LogicException              If the config is not set
-     * @throws  InvalidArgumentException    If the role does not exist
-     * @see     ConfigForm::setConfig()     For setting the config.
-     */
-    public function remove($name)
-    {
-        if (! isset($this->config)) {
-            throw new LogicException(sprintf('Can\'t remove role \'%s\'. Config is not set', $name));
-        }
-        if (! $this->config->hasSection($name)) {
-            throw new InvalidArgumentException(sprintf(
-                t('Can\'t remove role \'%s\'. Role does not exist'),
-                $name
-            ));
-        }
-        $this->config->removeSection($name);
-        return $this;
-    }
-
-    /**
-     * Update a role
-     *
-     * @param   string  $name               The possibly new name of the role
-     * @param   array   $values
-     * @param   string  $oldName            The name of the role to update
-     *
-     * @return  $this
-     *
-     * @throws  LogicException              If the config is not set
-     * @throws  InvalidArgumentException    If the role to update does not exist
-     * @see     ConfigForm::setConfig()     For setting the config.
-     */
-    public function update($name, array $values, $oldName)
-    {
-        if (! isset($this->config)) {
-            throw new LogicException(sprintf('Can\'t update role \'%s\'. Config is not set', $name));
-        }
-        if ($name !== $oldName) {
-            // The permission got a new name
-            $this->remove($oldName);
-            $this->add($name, $values);
-        } else {
-            if (! $this->config->hasSection($name)) {
-                throw new InvalidArgumentException(sprintf(
-                    t('Can\'t update role \'%s\'. Role does not exist'),
-                    $name
-                ));
-            }
-            $this->config->setSection($name, $values);
-        }
-        return $this;
-    }
-
-    /**
-     * (non-PHPDoc)
-     * @see \Zend_Form::getValues() For the method documentation.
-     */
-    public function getValues($suppressArrayNotation = false)
-    {
-        $values = array_filter(parent::getValues($suppressArrayNotation));
-        if (isset($values['permissions'])) {
-            $values['permissions'] = implode(', ', $values['permissions']);
-        }
-        return $values;
-    }
-}
diff --git a/application/views/scripts/permissions/index.phtml b/application/views/scripts/permissions/index.phtml
deleted file mode 100644
index 3dd11cc81..000000000
--- a/application/views/scripts/permissions/index.phtml
+++ /dev/null
@@ -1,68 +0,0 @@
-<div class="controls">
-    <?= $tabs ?>
-</div>
-<div class="content">
-    <div>
-        <h1><?= $this->translate('Permissions') ?></h1>
-        <?php /** @var \Icinga\Application\Config $roles */ if ($roles->isEmpty()): ?>
-            <?= $this->translate('No permissions found.') ?>
-        <?php else: ?>
-            <table class="avp action" data-base-target="_next">
-                <thead>
-                <tr>
-                    <th><?= $this->translate('Name') ?></th>
-                    <th><?= $this->translate('Permissions') ?></th>
-                    <th><?= $this->translate('Restrictions') ?></th>
-                    <th><?= $this->translate('Users') ?></th>
-                    <th><?= $this->translate('Groups') ?></th>
-                </tr>
-                </thead>
-                <tbody>
-                <?php foreach ($roles as $name => $role): /** @var object $role */ ?>
-                    <tr>
-                        <td>
-                            <?= $this->escape($name) ?>
-                            <div class="hidden">
-                                <a href="<?= $this->url('permissions/update', array('role' => $name)) ?>"></a>
-                            </div>
-                        </td>
-                        <td><?= $this->escape($role->permissions, 0, 50) ?></td>
-                        <td>
-                            <?php
-                            // TODO(el): $role->without(...) or $role->shift(...) would be nice!
-                            $restrictions = $role;
-                            unset($restrictions['users']);
-                            unset($restrictions['groups']);
-                            unset($restrictions['permissions']);
-                            ?>
-                            <?php if (! empty($restrictions)): ?>
-                            <table>
-                                <tbody>
-                                <?php foreach ($restrictions as $restrictionName => $restriction): ?>
-                                    <tr>
-                                        <th><?= $this->escape($restrictionName) ?></th>
-                                        <td><?= $this->escape($restriction) ?></td>
-                                    </tr>
-                                <?php endforeach ?>
-                                </tbody>
-                            </table>
-                            <?php endif ?>
-                        </td>
-                        <td><?= $this->escape($role->users) ?></td>
-                        <td><?= $this->escape($role->groups) ?></td>
-                        <td>
-                            <a href="<?= $this->url('permissions/remove', array('role' => $name)) ?>"
-                               title="<?= $this->translate('Remove role') ?>">
-                                <?= $this->icon('cancel') ?>
-                            </a>
-                        </td>
-                    </tr>
-                <?php endforeach ?>
-                </tbody>
-            </table>
-        <?php endif ?>
-        <a data-base-target="_next" href="<?= $this->href('permissions/new') ?>">
-            <?= $this->translate('New Role') ?>
-        </a>
-    </div>
-</div>
diff --git a/application/views/scripts/permissions/new.phtml b/application/views/scripts/permissions/new.phtml
deleted file mode 100644
index d5f9e7e33..000000000
--- a/application/views/scripts/permissions/new.phtml
+++ /dev/null
@@ -1,4 +0,0 @@
-<div class="content">
-    <h1><?= $this->translate('New Role') ?></h1>
-    <?= $form ?>
-</div>
diff --git a/application/views/scripts/permissions/remove.phtml b/application/views/scripts/permissions/remove.phtml
deleted file mode 100644
index a9360e78f..000000000
--- a/application/views/scripts/permissions/remove.phtml
+++ /dev/null
@@ -1,4 +0,0 @@
-<div class="content">
-    <h1><?= sprintf($this->translate('Remove Role %s'), $name) ?></h1>
-    <?= $form ?>
-</div>
diff --git a/application/views/scripts/permissions/update.phtml b/application/views/scripts/permissions/update.phtml
deleted file mode 100644
index 8cb235a59..000000000
--- a/application/views/scripts/permissions/update.phtml
+++ /dev/null
@@ -1,4 +0,0 @@
-<div class="content">
-    <h1><?= sprintf($this->translate('Update Role %s'), $name) ?></h1>
-    <?= $form ?>
-</div>