diff --git a/src/nominatim_db/tools/admin.py b/src/nominatim_db/tools/admin.py
index b8e3cb56..15446bb7 100644
--- a/src/nominatim_db/tools/admin.py
+++ b/src/nominatim_db/tools/admin.py
@@ -16,6 +16,7 @@ from psycopg.types.json import Json
 from ..typing import DictCursorResult
 from ..config import Configuration
 from ..db.connection import connect, Cursor, register_hstore
+from ..db.sql_preprocessor import SQLPreprocessor
 from ..errors import UsageError
 from ..tokenizer import factory as tokenizer_factory
 from ..data.place_info import PlaceInfo
@@ -105,3 +106,12 @@ def clean_deleted_relations(config: Configuration, age: str) -> None:
             except psycopg.DataError as exc:
                 raise UsageError('Invalid PostgreSQL time interval format') from exc
         conn.commit()
+
+
+def grant_ro_access(dsn: str, config: Configuration) -> None:
+    """ Grant read-only access to the web user for all Nominatim tables.
+        This can be used to grant access to a different user after import.
+    """
+    with connect(dsn) as conn:
+        sql = SQLPreprocessor(conn, config)
+        sql.run_sql_file(conn, 'grants.sql')
diff --git a/src/nominatim_db/tools/database_import.py b/src/nominatim_db/tools/database_import.py
index c92c3900..f079e1fe 100644
--- a/src/nominatim_db/tools/database_import.py
+++ b/src/nominatim_db/tools/database_import.py
@@ -157,6 +157,8 @@ def create_tables(conn: Connection, config: Configuration, reverse_only: bool =
 
     sql.run_sql_file(conn, 'tables.sql')
 
+    sql.run_sql_file(conn, 'grants.sql')
+
 
 def create_table_triggers(conn: Connection, config: Configuration) -> None:
     """ Create the triggers for the tables. The trigger functions must already