diff --git a/core/server/models/base/index.js b/core/server/models/base/index.js
index 504318892f..50fc88b9c6 100644
--- a/core/server/models/base/index.js
+++ b/core/server/models/base/index.js
@@ -63,6 +63,11 @@ ghostBookshelf.plugin('bookshelf-relations', {
                     }
                 };
 
+                // CASE: disable after hook for specific relations
+                if (['permissions_roles'].indexOf(existing.relatedData.joinTableName) !== -1) {
+                    return Promise.resolve();
+                }
+
                 return Promise.each(targets.models, function (target, index) {
                     queryOptions.query.where[existing.relatedData.otherKey] = target.id;
 
diff --git a/core/server/models/permission.js b/core/server/models/permission.js
index 2e9454c7f8..c350a47358 100644
--- a/core/server/models/permission.js
+++ b/core/server/models/permission.js
@@ -1,14 +1,36 @@
-var ghostBookshelf = require('./base'),
+'use strict';
 
-    Permission,
+const ghostBookshelf = require('./base');
+
+let Permission,
     Permissions;
 
 Permission = ghostBookshelf.Model.extend({
 
     tableName: 'permissions',
 
+    relationships: ['roles'],
+    relationshipBelongsTo: {
+        roles: 'roles'
+    },
+
+    /**
+     * The base model keeps only the columns, which are defined in the schema.
+     * We have to add the relations on top, otherwise bookshelf-relations
+     * has no access to the nested relations, which should be updated.
+     */
+    permittedAttributes: function permittedAttributes() {
+        let filteredKeys = ghostBookshelf.Model.prototype.permittedAttributes.apply(this, arguments);
+
+        this.relationships.forEach((key) => {
+            filteredKeys.push(key);
+        });
+
+        return filteredKeys;
+    },
+
     roles: function roles() {
-        return this.belongsToMany('Role');
+        return this.belongsToMany('Role', 'permissions_roles', 'permission_id', 'role_id');
     },
 
     users: function users() {
diff --git a/core/test/integration/model/model_permissions_spec.js b/core/test/integration/model/model_permissions_spec.js
index 5d0edcd080..1854447d4e 100644
--- a/core/test/integration/model/model_permissions_spec.js
+++ b/core/test/integration/model/model_permissions_spec.js
@@ -75,7 +75,7 @@ describe('Permission Model', function () {
 
             return PermissionModel.destroy(firstPermission);
         }).then(function (response) {
-            response.toJSON().should.be.empty();
+            response.toJSON({shallow: true}).should.be.empty();
             return PermissionModel.findOne(firstPermission);
         }).then(function (newResults) {
             should.equal(newResults, null);
diff --git a/core/test/unit/models/permission_spec.js b/core/test/unit/models/permission_spec.js
new file mode 100644
index 0000000000..ef5cde721e
--- /dev/null
+++ b/core/test/unit/models/permission_spec.js
@@ -0,0 +1,63 @@
+'use strict';
+
+const should = require('should'),
+    sinon = require('sinon'),
+    models = require('../../../server/models'),
+    testUtils = require('../../utils'),
+    sandbox = sinon.sandbox.create();
+
+describe('Unit: models/permission', function () {
+    before(function () {
+        models.init();
+    });
+
+    after(function () {
+        sandbox.restore();
+    });
+
+    describe('add', function () {
+        let knexMock;
+
+        before(function () {
+            knexMock = new testUtils.mocks.knex();
+            knexMock.mock();
+        });
+
+        after(function () {
+            knexMock.unmock();
+        });
+
+        it('without roles', function () {
+            return models.Permission.add({name: 'test', object_type: 'something', action_type: 'read something'})
+                .then(function (permission) {
+                    permission.get('name').should.eql('test');
+                    permission.get('object_type').should.eql('something');
+                    permission.get('action_type').should.eql('read something');
+                });
+        });
+
+        it('with roles', function () {
+            return models.Permission.add({
+                name: 'test',
+                object_type: 'something',
+                action_type: 'write something',
+                roles: [testUtils.DataGenerator.forKnex.roles[1]]
+            }).then(function (permission) {
+                permission.get('name').should.eql('test');
+                permission.get('object_type').should.eql('something');
+                permission.get('action_type').should.eql('write something');
+                permission.related('roles').models[0].id.should.eql(testUtils.DataGenerator.forKnex.roles[1].id);
+            });
+        });
+
+        it('[error] validation', function () {
+            return models.Permission.add({})
+                .then(function () {
+                    'Should fail'.should.be.true();
+                })
+                .catch(function (err) {
+                    err.length.should.eql(3);
+                });
+        });
+    });
+});