diff --git a/modules/api/auth.py b/modules/api/auth.py
index 76cc49b..4921c3c 100644
--- a/modules/api/auth.py
+++ b/modules/api/auth.py
@@ -11,6 +11,7 @@ from    scripts             	import loggorilla, saltedkey, googly, tokenguard, s
 
 import  procedure.validation	as procedure_validation
 import  procedure.webmail	as procedure_webmail
+import  procedure.grant		as procedure_grant
 
 class auth:
 
diff --git a/procedure/grant.py b/procedure/grant.py
new file mode 100644
index 0000000..ef9d90d
--- /dev/null
+++ b/procedure/grant.py
@@ -0,0 +1,15 @@
+def is_grant_allowed(my_roles, target_roles, allowed_grant):
+    allowed = {
+        role
+        for r in my_roles
+        for role in next((g['allowed'] for g in allowed_grant if g['roles'] == r), [])
+    }
+    return all(role in allowed for role in target_roles)
+
+def get_disallowed_roles(my_roles, target_roles, allowed_grant):
+    allowed = {
+        role
+        for r in my_roles
+        for role in next((g['allowed'] for g in allowed_grant if g['roles'] == r), [])
+    }
+    return [r for r in target_roles if r not in allowed]