diff --git a/engine/schema/src/main/java/com/cloud/upgrade/RolePermissionChecker.java b/engine/schema/src/main/java/com/cloud/upgrade/RolePermissionChecker.java
new file mode 100644
index 00000000000..6d434cda755
--- /dev/null
+++ b/engine/schema/src/main/java/com/cloud/upgrade/RolePermissionChecker.java
@@ -0,0 +1,61 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.upgrade;
+
+import org.apache.log4j.Logger;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+
+public class RolePermissionChecker {
+
+    final static Logger LOG = Logger.getLogger(RolePermissionChecker.class);
+
+    private static final String checkAnnotationRulesPermissionPreparedStatement =
+            "SELECT permission FROM `cloud`.`role_permissions` WHERE role_id = ? AND rule = ?";
+    private static final String insertAnnotationRulePermissionPreparedStatement =
+            "INSERT IGNORE INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), ?, ?, 'ALLOW')";
+
+    public RolePermissionChecker() {
+    }
+
+    public boolean existsRolePermissionByRoleIdAndRule(Connection conn, long roleId, String rule) {
+        try {
+            PreparedStatement pstmt = conn.prepareStatement(checkAnnotationRulesPermissionPreparedStatement);
+            pstmt.setLong(1, roleId);
+            pstmt.setString(2, rule);
+            ResultSet rs = pstmt.executeQuery();
+            return rs != null && rs.next();
+        } catch (SQLException e) {
+            LOG.error("Error on existsRolePermissionByRoleIdAndRule: " + e.getMessage(), e);
+            return false;
+        }
+    }
+
+    public void insertAnnotationRulePermission(Connection conn, long roleId, String rule) {
+        try {
+            PreparedStatement pstmt = conn.prepareStatement(insertAnnotationRulePermissionPreparedStatement);
+            pstmt.setLong(1, roleId);
+            pstmt.setString(2, rule);
+            pstmt.executeUpdate();
+        } catch (SQLException e) {
+            LOG.error("Error on insertAnnotationRulePermission: " + e.getMessage(), e);
+        }
+    }
+}
diff --git a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade41520to41600.java b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade41520to41600.java
index c61d5188e36..fdc261824d7 100644
--- a/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade41520to41600.java
+++ b/engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade41520to41600.java
@@ -22,8 +22,12 @@ import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
+import java.util.Arrays;
+import java.util.List;
 
+import com.cloud.upgrade.RolePermissionChecker;
 import com.cloud.upgrade.SystemVmTemplateRegistration;
+import org.apache.cloudstack.acl.RoleType;
 import org.apache.log4j.Logger;
 
 import com.cloud.utils.exception.CloudRuntimeException;
@@ -32,6 +36,7 @@ public class Upgrade41520to41600 implements DbUpgrade, DbUpgradeSystemVmTemplate
 
     final static Logger LOG = Logger.getLogger(Upgrade41520to41600.class);
     private SystemVmTemplateRegistration systemVmTemplateRegistration;
+    private RolePermissionChecker rolePermissionChecker = new RolePermissionChecker();
 
     public Upgrade41520to41600() {
     }
@@ -65,6 +70,28 @@ public class Upgrade41520to41600 implements DbUpgrade, DbUpgradeSystemVmTemplate
     @Override
     public void performDataMigration(Connection conn) {
         generateUuidForExistingSshKeyPairs(conn);
+        populateAnnotationPermissions(conn);
+    }
+
+    private void populateAnnotationPermissions(Connection conn) {
+        List<String> annotationRules = Arrays.asList("listAnnotations", "addAnnotation", "removeAnnotation");
+        for (RoleType roleType : Arrays.asList(RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User)) {
+            checkAndPersistAnnotationPermissions(conn, roleType, annotationRules);
+        }
+    }
+
+    private void checkAndPersistAnnotationPermissions(Connection conn, RoleType roleType, List<String> rules) {
+        LOG.debug("Checking the annotation permissions for the role: " + roleType.getId());
+        for (String rule : rules) {
+            LOG.debug("Checking the annotation permissions for the role: " + roleType.getId() + " and rule: " + rule);
+            if (!rolePermissionChecker.existsRolePermissionByRoleIdAndRule(conn, roleType.getId(), rule)) {
+                LOG.debug("Inserting role permission for role: " + roleType.getId() + " and rule: " + rule);
+                rolePermissionChecker.insertAnnotationRulePermission(conn, roleType.getId(), rule);
+            } else {
+                LOG.debug("Found existing role permission for role: " + roleType.getId() + " and rule: " + rule +
+                        ", not updating it");
+            }
+        }
     }
 
     private void generateUuidForExistingSshKeyPairs(Connection conn) {
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-41520to41600.sql b/engine/schema/src/main/resources/META-INF/db/schema-41520to41600.sql
index d7c064159e1..0f084c5b0bc 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-41520to41600.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-41520to41600.sql
@@ -727,17 +727,6 @@ CREATE TABLE `cloud`.`resource_icon` (
 
 ALTER TABLE `cloud`.`annotations` ADD COLUMN `admins_only` tinyint(1) unsigned NOT NULL DEFAULT 1;
 
--- Allow annotations for resource admins, domain admins and users
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 2, 'listAnnotations', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 2, 'addAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 2, 'removeAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 3, 'listAnnotations', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 3, 'addAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 3, 'removeAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 4, 'listAnnotations', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 4, 'addAnnotation', 'ALLOW');
-INSERT INTO `cloud`.`role_permissions` (uuid, role_id, rule, permission) VALUES (UUID(), 4, 'removeAnnotation', 'ALLOW');
-
 -- Add uuid for ssh keypairs
 ALTER TABLE `cloud`.`ssh_keypairs` ADD COLUMN `uuid` varchar(40) AFTER `id`;