diff --git a/pkg/service/v0/service.go b/pkg/service/v0/service.go
index 98fcc2ee6..4f4c4d2c7 100644
--- a/pkg/service/v0/service.go
+++ b/pkg/service/v0/service.go
@@ -21,13 +21,32 @@ type Service struct {
 
 // NewService returns a service implementation for Service.
 func NewService(cfg *config.Config, logger log.Logger) Service {
-	return Service{
+	service := Service{
 		config:  cfg,
 		logger:  logger,
 		manager: store.New(cfg),
 	}
+	// FIXME: we're writing default roles per service start (i.e. twice at the moment, for http and grpc server).
+	for _, role := range generateBundlesDefaultRoles() {
+		bundleID := role.Extension + "." + role.Id
+		// check if the role already exists
+		bundle, _ := service.manager.ReadBundle(role.Id)
+		if bundle != nil {
+			logger.Debug().Msgf("Settings bundle %v already exists. Skipping.", bundleID)
+			continue
+		}
+		// create the role
+		_, err := service.manager.WriteBundle(role)
+		if err != nil {
+			logger.Error().Err(err).Msgf("Failed to register settings bundle %v", bundleID)
+		}
+		logger.Debug().Msgf("Successfully registered settings bundle %v", bundleID)
+	}
+	return service
 }
 
+// TODO: check permissions on every request
+
 // SaveBundle implements the BundleServiceHandler interface
 func (g Service) SaveBundle(c context.Context, req *proto.SaveBundleRequest, res *proto.SaveBundleResponse) error {
 	cleanUpResource(c, req.Bundle.Resource)
diff --git a/pkg/service/v0/settings.go b/pkg/service/v0/settings.go
new file mode 100644
index 000000000..dad4093e1
--- /dev/null
+++ b/pkg/service/v0/settings.go
@@ -0,0 +1,65 @@
+package svc
+
+import settings "github.com/owncloud/ocis-settings/pkg/proto/v0"
+
+const (
+	// BundleUUIDRoleAdmin represents the admin role
+	BundleUUIDRoleAdmin = "71881883-1768-46bd-a24d-a356a2afdf7f"
+
+	// BundleUUIDRoleUser represents the user role.
+	BundleUUIDRoleUser = "d7beeea8-8ff4-406b-8fb6-ab2dd81e6b11"
+
+	// BundleUUIDRoleGuest represents the guest role.
+	BundleUUIDRoleGuest = "38071a68-456a-4553-846a-fa67bf5596cc"
+)
+
+// generateBundlesDefaultRoles bootstraps the default roles.
+func generateBundlesDefaultRoles() []*settings.Bundle {
+	return []*settings.Bundle{
+		generateBundleAdminRole(),
+		generateBundleUserRole(),
+		generateBundleGuestRole(),
+	}
+}
+
+func generateBundleAdminRole() *settings.Bundle {
+	return &settings.Bundle{
+		Id:          BundleUUIDRoleAdmin,
+		Name:        "admin",
+		Type:        settings.Bundle_TYPE_ROLE,
+		Extension:   "ocis-roles",
+		DisplayName: "Admin",
+		Resource: &settings.Resource{
+			Type: settings.Resource_TYPE_SYSTEM,
+		},
+		Settings: []*settings.Setting{},
+	}
+}
+
+func generateBundleUserRole() *settings.Bundle {
+	return &settings.Bundle{
+		Id:          BundleUUIDRoleUser,
+		Name:        "user",
+		Type:        settings.Bundle_TYPE_ROLE,
+		Extension:   "ocis-roles",
+		DisplayName: "User",
+		Resource: &settings.Resource{
+			Type: settings.Resource_TYPE_SYSTEM,
+		},
+		Settings: []*settings.Setting{},
+	}
+}
+
+func generateBundleGuestRole() *settings.Bundle {
+	return &settings.Bundle{
+		Id:          BundleUUIDRoleGuest,
+		Name:        "guest",
+		Type:        settings.Bundle_TYPE_ROLE,
+		Extension:   "ocis-roles",
+		DisplayName: "Guest",
+		Resource: &settings.Resource{
+			Type: settings.Resource_TYPE_SYSTEM,
+		},
+		Settings: []*settings.Setting{},
+	}
+}