diff --git a/src/pretix/base/migrations/0004_eventpermission_can_change_permissions.py b/src/pretix/base/migrations/0004_eventpermission_can_change_permissions.py
new file mode 100644
index 0000000000..fbfec7b010
--- /dev/null
+++ b/src/pretix/base/migrations/0004_eventpermission_can_change_permissions.py
@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import models, migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0003_auto_20150602_2232'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='eventpermission',
+            name='can_change_permissions',
+            field=models.BooleanField(default=True, verbose_name='Can change permissions'),
+        ),
+    ]
diff --git a/src/pretix/base/models.py b/src/pretix/base/models.py
index 9f95267c07..f9d818b1f6 100644
--- a/src/pretix/base/models.py
+++ b/src/pretix/base/models.py
@@ -538,6 +538,10 @@ class EventPermission(Versionable):
         default=True,
         verbose_name=_("Can view orders")
     )
+    can_change_permissions = models.BooleanField(
+        default=True,
+        verbose_name=_("Can change permissions")
+    )
     can_change_orders = models.BooleanField(
         default=True,
         verbose_name=_("Can change orders")
diff --git a/src/pretix/control/templates/pretixcontrol/event/base.html b/src/pretix/control/templates/pretixcontrol/event/base.html
index 93021e2a49..83b7e5ec23 100644
--- a/src/pretix/control/templates/pretixcontrol/event/base.html
+++ b/src/pretix/control/templates/pretixcontrol/event/base.html
@@ -22,6 +22,12 @@
                     {% trans "General" %}
                 </a>
             </li>
+            <li>
+                <a href="{% url 'control:event.settings.permissions' organizer=request.event.organizer.slug event=request.event.slug %}"
+                        {% if "event.settings.permissions" == url_name %}class="active"{% endif %}>
+                    {% trans "Permissions" %}
+                </a>
+            </li>
             <li>
                 <a href="{% url 'control:event.settings.payment' organizer=request.event.organizer.slug event=request.event.slug %}"
                         {% if "event.settings.payment" == url_name %}class="active"{% endif %}>
diff --git a/src/pretix/control/templates/pretixcontrol/event/payment.html b/src/pretix/control/templates/pretixcontrol/event/payment.html
index aafdfa9326..638b06a10f 100644
--- a/src/pretix/control/templates/pretixcontrol/event/payment.html
+++ b/src/pretix/control/templates/pretixcontrol/event/payment.html
@@ -6,11 +6,6 @@
 		{% csrf_token %}
 		<fieldset>
 			<legend>{% trans "Payment settings" %}</legend>
-			{% if "success" in request.GET %}
-				<div class="alert alert-success">
-					{% trans "Your changes have been saved." %}
-				</div>
-			{% endif %}
 			{% for provider in providers %}
 				<div class="panel panel-default">
 					<div class="panel-heading">
diff --git a/src/pretix/control/templates/pretixcontrol/event/permissions.html b/src/pretix/control/templates/pretixcontrol/event/permissions.html
new file mode 100644
index 0000000000..e4222cb361
--- /dev/null
+++ b/src/pretix/control/templates/pretixcontrol/event/permissions.html
@@ -0,0 +1,43 @@
+{% extends "pretixcontrol/event/settings_base.html" %}
+{% load i18n %}
+{% load bootstrap3 %}
+{% block inside %}
+	<form action="" method="post" class="form-horizontal form-permissions">
+		{% csrf_token %}
+		<fieldset>
+			<legend>{% trans "Permissions" %}</legend>
+            {{ formset.management_form }}
+            <table class="table table-striped table-condensed">
+                <thead>
+                    <tr>
+                        <th>{% trans "User" %}</th>
+                        <th>{% trans "Change settings" %}</th>
+                        <th>{% trans "Change products" %}</th>
+                        <th>{% trans "View orders" %}</th>
+                        <th>{% trans "Change orders" %}</th>
+                        <th>{% trans "Change permissions" %}</th>
+                        <th>{% trans "Delete" %}</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    {% for form in formset %}
+                        <tr>
+                            <td>{{ form.id }}{{ form.instance.user }}</td>
+                            <td>{{ form.can_change_settings }}</td>
+                            <td>{{ form.can_change_items }}</td>
+                            <td>{{ form.can_view_orders }}</td>
+                            <td>{{ form.can_change_orders }}</td>
+                            <td>{{ form.can_change_permissions }}</td>
+                            <td>{{ form.DELETE }}</td>
+                        </tr>
+                    {% endfor %}
+                </tbody>
+            </table>
+		</fieldset>
+        <div class="form-group submit-group">
+            <button type="submit" class="btn btn-primary btn-save">
+                {% trans "Save" %}
+            </button>
+        </div>
+	</form>
+{% endblock %}
diff --git a/src/pretix/control/urls.py b/src/pretix/control/urls.py
index 633ef415dd..fb32c615a7 100644
--- a/src/pretix/control/urls.py
+++ b/src/pretix/control/urls.py
@@ -18,6 +18,7 @@ urlpatterns = [
         url(r'^$', event.index, name='event.index'),
         url(r'^settings/$', event.EventUpdate.as_view(), name='event.settings'),
         url(r'^settings/plugins$', event.EventPlugins.as_view(), name='event.settings.plugins'),
+        url(r'^settings/permissions$', event.EventPermissions.as_view(), name='event.settings.permissions'),
         url(r'^settings/payment$', event.PaymentSettings.as_view(), name='event.settings.payment'),
         url(r'^settings/tickets$', event.TicketSettings.as_view(), name='event.settings.tickets'),
         url(r'^items/$', item.ItemList.as_view(), name='event.items'),
diff --git a/src/pretix/control/views/event.py b/src/pretix/control/views/event.py
index b64923b046..4731ec5f76 100644
--- a/src/pretix/control/views/event.py
+++ b/src/pretix/control/views/event.py
@@ -2,6 +2,7 @@ from collections import OrderedDict
 
 from django.contrib import messages
 from django.db.models import Sum
+from django.forms import inlineformset_factory, formset_factory, modelformset_factory, BaseInlineFormSet
 from django.shortcuts import render, redirect
 from django.utils.functional import cached_property
 from django.views.generic import FormView
@@ -9,8 +10,9 @@ from django.views.generic.base import TemplateView
 from django.views.generic.detail import SingleObjectMixin
 from django.utils.translation import ugettext_lazy as _
 from django.core.urlresolvers import reverse
+from pretix.base.forms import VersionedModelForm
 from pretix.control.forms.event import ProviderForm, TicketSettingsForm, EventSettingsForm, EventUpdateForm
-from pretix.base.models import Event, OrderPosition, Order, Item
+from pretix.base.models import Event, OrderPosition, Order, Item, EventPermission
 from pretix.base.signals import register_payment_providers, register_ticket_outputs
 from pretix.control.permissions import EventPermissionRequiredMixin
 from . import UpdateView
@@ -253,3 +255,48 @@ def index(request, organizer, event):
         ).count()
     }
     return render(request, 'pretixcontrol/event/index.html', ctx)
+
+
+class EventPermissions(EventPermissionRequiredMixin, TemplateView):
+    model = Event
+    form_class = TicketSettingsForm
+    template_name = 'pretixcontrol/event/permissions.html'
+    permission = 'can_change_permissions'
+
+    @cached_property
+    def formset(self):
+        fs = modelformset_factory(
+            EventPermission,
+            form=VersionedModelForm,
+            fields=('can_change_settings', 'can_change_items', 'can_change_permissions', 'can_view_orders',
+                    'can_change_orders'),
+            can_delete=True, can_order=False, extra=0
+        )
+        return fs(data=self.request.POST if self.request.method == "POST" else None,
+                  queryset=EventPermission.objects.current.filter(event=self.request.event))
+
+    def get_context_data(self, **kwargs):
+        ctx = super().get_context_data(**kwargs)
+        ctx['formset'] = self.formset
+        return ctx
+
+    def post(self, *args, **kwargs):
+        if self.formset.is_valid():
+            for form in self.formset.forms:
+                if form.instance.user_id == self.request.user.pk:
+                    if not form.cleaned_data['can_change_permissions'] or form in self.formset.deleted_forms:
+                        messages.error(self.request, _('You cannot remove your own permission to view this page.'))
+                        return self.get(*args, **kwargs)
+
+            self.formset.save()
+            messages.success(self.request, _('Your changes have been saved.'))
+            return redirect(self.get_success_url())
+        else:
+            messages.error(self.request, _('Your changes could not be saved.'))
+            return self.get(*args, **kwargs)
+
+    def get_success_url(self) -> str:
+        return reverse('control:event.settings.permissions', kwargs={
+            'organizer': self.request.event.organizer.slug,
+            'event': self.request.event.slug
+        })