diff --git a/lib-sql/grants.sql b/lib-sql/grants.sql
new file mode 100644
index 00000000..6e26eaa8
--- /dev/null
+++ b/lib-sql/grants.sql
@@ -0,0 +1,50 @@
+-- SPDX-License-Identifier: GPL-2.0-only
+--
+-- This file is part of Nominatim. (https://nominatim.org)
+--
+-- Copyright (C) 2026 by the Nominatim developer community.
+-- For a full list of authors see the git log.
+--
+-- Grant read-only access to the web user for all Nominatim tables.
+
+-- Core tables
+GRANT SELECT ON import_status TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON country_name TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON nominatim_properties TO "{{config.DATABASE_WEBUSER}}";
+
+-- Location tables
+GRANT SELECT ON location_property_tiger TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON location_property_osmline TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON location_area TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON location_postcodes TO "{{config.DATABASE_WEBUSER}}";
+
+-- Search tables
+{% if not db.reverse_only %}
+GRANT SELECT ON search_name TO "{{config.DATABASE_WEBUSER}}";
+{% endif %}
+
+-- Main place tables
+GRANT SELECT ON placex TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON place_addressline TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON placex_entrance TO "{{config.DATABASE_WEBUSER}}";
+
+-- OSM data tables
+GRANT SELECT ON planet_osm_ways TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON planet_osm_rels TO "{{config.DATABASE_WEBUSER}}";
+
+-- Error/delete tracking tables
+GRANT SELECT ON import_polygon_error TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON import_polygon_delete TO "{{config.DATABASE_WEBUSER}}";
+
+-- Country grid
+GRANT SELECT ON country_osm_grid TO "{{config.DATABASE_WEBUSER}}";
+
+-- Tokenizer tables (word table)
+{% if 'word' in db.tables %}
+GRANT SELECT ON word TO "{{config.DATABASE_WEBUSER}}";
+{% endif %}
+
+-- Tiger import table (if exists)
+{% if 'location_property_tiger_import' in db.tables %}
+GRANT SELECT ON location_property_tiger_import TO "{{config.DATABASE_WEBUSER}}";
+{% endif %}
\ No newline at end of file
diff --git a/lib-sql/tables.sql b/lib-sql/tables.sql
index c7e301d5..64545b27 100644
--- a/lib-sql/tables.sql
+++ b/lib-sql/tables.sql
@@ -11,7 +11,6 @@ CREATE TABLE import_status (
   sequence_id integer,
   indexed boolean
   );
-GRANT SELECT ON import_status TO "{{config.DATABASE_WEBUSER}}" ;
 
 drop table if exists import_osmosis_log;
 CREATE TABLE import_osmosis_log (
@@ -23,14 +22,11 @@ CREATE TABLE import_osmosis_log (
   event text
   );
 
-GRANT SELECT ON TABLE country_name TO "{{config.DATABASE_WEBUSER}}";
-
 DROP TABLE IF EXISTS nominatim_properties;
 CREATE TABLE nominatim_properties (
     property TEXT NOT NULL,
     value TEXT
 );
-GRANT SELECT ON TABLE nominatim_properties TO "{{config.DATABASE_WEBUSER}}";
 
 drop table IF EXISTS location_area CASCADE;
 CREATE TABLE location_area (
@@ -66,7 +62,6 @@ CREATE TABLE location_property_tiger (
   partition SMALLINT NOT NULL,
   linegeo GEOMETRY NOT NULL,
   postcode TEXT);
-GRANT SELECT ON location_property_tiger TO "{{config.DATABASE_WEBUSER}}";
 
 drop table if exists location_property_osmline;
 CREATE TABLE location_property_osmline (
@@ -90,7 +85,6 @@ CREATE UNIQUE INDEX idx_osmline_place_id ON location_property_osmline USING BTRE
 CREATE INDEX idx_osmline_geometry_sector ON location_property_osmline USING BTREE (geometry_sector) {{db.tablespace.address_index}};
 CREATE INDEX idx_osmline_linegeo ON location_property_osmline USING GIST (linegeo) {{db.tablespace.search_index}}
   WHERE startnumber is not null;
-GRANT SELECT ON location_property_osmline TO "{{config.DATABASE_WEBUSER}}";
 
 drop table IF EXISTS search_name;
 {% if not db.reverse_only %}
@@ -106,7 +100,6 @@ CREATE TABLE search_name (
   ) {{db.tablespace.search_data}};
 CREATE UNIQUE INDEX idx_search_name_place_id
   ON search_name USING BTREE (place_id) {{db.tablespace.search_index}};
-GRANT SELECT ON search_name to "{{config.DATABASE_WEBUSER}}" ;
 {% endif %}
 
 drop table IF EXISTS place_addressline;
@@ -203,11 +196,6 @@ CREATE INDEX idx_placex_rank_boundaries_sector ON placex
 
 DROP SEQUENCE IF EXISTS seq_place;
 CREATE SEQUENCE seq_place start 1;
-GRANT SELECT on placex to "{{config.DATABASE_WEBUSER}}" ;
-GRANT SELECT on place_addressline to "{{config.DATABASE_WEBUSER}}" ;
-GRANT SELECT ON planet_osm_ways to "{{config.DATABASE_WEBUSER}}" ;
-GRANT SELECT ON planet_osm_rels to "{{config.DATABASE_WEBUSER}}" ;
-GRANT SELECT on location_area to "{{config.DATABASE_WEBUSER}}" ;
 
 -- Table for synthetic postcodes.
 DROP TABLE IF EXISTS location_postcodes;
@@ -232,7 +220,6 @@ CREATE INDEX IF NOT EXISTS idx_location_postcodes_postcode
   {{db.tablespace.search_index}};
 CREATE INDEX IF NOT EXISTS idx_location_postcodes_osmid
   ON location_postcodes USING BTREE (osm_id) {{db.tablespace.search_index}};
-GRANT SELECT ON location_postcodes TO "{{config.DATABASE_WEBUSER}}" ;
 
 -- Table to store location of entrance nodes
 DROP TABLE IF EXISTS placex_entrance;
@@ -245,7 +232,6 @@ CREATE TABLE placex_entrance (
   );
 CREATE UNIQUE INDEX idx_placex_entrance_place_id_osm_id ON placex_entrance
   USING BTREE (place_id, osm_id) {{db.tablespace.search_index}};
-GRANT SELECT ON placex_entrance TO "{{config.DATABASE_WEBUSER}}" ;
 
 -- Create an index on the place table for lookups to populate the entrance
 -- table
@@ -267,7 +253,6 @@ CREATE TABLE import_polygon_error (
   newgeometry GEOMETRY(Geometry, 4326)
   );
 CREATE INDEX idx_import_polygon_error_osmid ON import_polygon_error USING BTREE (osm_type, osm_id);
-GRANT SELECT ON import_polygon_error TO "{{config.DATABASE_WEBUSER}}";
 
 DROP TABLE IF EXISTS import_polygon_delete;
 CREATE TABLE import_polygon_delete (
@@ -277,7 +262,6 @@ CREATE TABLE import_polygon_delete (
   type TEXT NOT NULL
   );
 CREATE INDEX idx_import_polygon_delete_osmid ON import_polygon_delete USING BTREE (osm_type, osm_id);
-GRANT SELECT ON import_polygon_delete TO "{{config.DATABASE_WEBUSER}}";
 
 DROP SEQUENCE IF EXISTS file;
 CREATE SEQUENCE file start 1;
@@ -308,5 +292,3 @@ CREATE INDEX planet_osm_rels_relation_members_idx ON planet_osm_rels USING gin(p
 CREATE INDEX IF NOT EXISTS idx_place_interpolations
     ON place USING gist(geometry) {{db.tablespace.address_index}}
     WHERE osm_type = 'W' and address ? 'interpolation';
-
-GRANT SELECT ON table country_osm_grid to "{{config.DATABASE_WEBUSER}}";
diff --git a/lib-sql/tiger_import_finish.sql b/lib-sql/tiger_import_finish.sql
index b7c32d72..914677bd 100644
--- a/lib-sql/tiger_import_finish.sql
+++ b/lib-sql/tiger_import_finish.sql
@@ -13,8 +13,6 @@ CREATE INDEX IF NOT EXISTS idx_location_property_tiger_parent_place_id_imp
 CREATE UNIQUE INDEX IF NOT EXISTS idx_location_property_tiger_place_id_imp
   ON location_property_tiger_import (place_id) {{db.tablespace.aux_index}};
 
-GRANT SELECT ON location_property_tiger_import TO "{{config.DATABASE_WEBUSER}}";
-
 DROP TABLE IF EXISTS location_property_tiger;
 ALTER TABLE location_property_tiger_import RENAME TO location_property_tiger;
 
diff --git a/src/nominatim_db/tokenizer/icu_tokenizer.py b/src/nominatim_db/tokenizer/icu_tokenizer.py
index 5d90bb27..2ddfd8e3 100644
--- a/src/nominatim_db/tokenizer/icu_tokenizer.py
+++ b/src/nominatim_db/tokenizer/icu_tokenizer.py
@@ -144,10 +144,6 @@ class ICUTokenizer(AbstractTokenizer):
             with conn.cursor() as cur:
                 cur.execute('SET max_parallel_workers_per_gather TO 0')
 
-            sqlp = SQLPreprocessor(conn, config)
-            sqlp.run_string(conn,
-                            'GRANT SELECT ON tmp_word TO "{{config.DATABASE_WEBUSER}}"')
-            conn.commit()
         self._create_base_indices(config, 'tmp_word')
         self._create_lookup_indices(config, 'tmp_word')
         self._move_temporary_word_table('tmp_word')
@@ -245,11 +241,9 @@ class ICUTokenizer(AbstractTokenizer):
                       word text,
                       info jsonb
                     ) {{db.tablespace.search_data}};
-                GRANT SELECT ON word TO "{{config.DATABASE_WEBUSER}}";
 
                 DROP SEQUENCE IF EXISTS seq_word;
                 CREATE SEQUENCE seq_word start 1;
-                GRANT SELECT ON seq_word to "{{config.DATABASE_WEBUSER}}";
             """)
             conn.commit()
 
diff --git a/src/nominatim_db/tools/migration.py b/src/nominatim_db/tools/migration.py
index e1edc975..a2bee6b6 100644
--- a/src/nominatim_db/tools/migration.py
+++ b/src/nominatim_db/tools/migration.py
@@ -137,7 +137,6 @@ def create_placex_entrance_table(conn: Connection, config: Configuration, **_: A
               );
             CREATE UNIQUE INDEX idx_placex_entrance_place_id_osm_id ON placex_entrance
               USING BTREE (place_id, osm_id) {{db.tablespace.search_index}};
-            GRANT SELECT ON placex_entrance TO "{{config.DATABASE_WEBUSER}}" ;
               """)
 
 
@@ -250,8 +249,6 @@ def create_place_postcode_table(conn: Connection, config: Configuration, **_: An
                     geometry Geometry(Geometry, 4326) NOT NULL
                 )
                 """)
-            sqlp.run_string(conn,
-                            'GRANT SELECT ON location_postcodes TO "{{config.DATABASE_WEBUSER}}"')
             # remove postcodes from the various auxillary tables
             cur.execute(
                 """