diff --git a/misc/README.md b/misc/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..b5b4a4128b944ddd8d4005c85b5670502c1cc9ca
--- /dev/null
+++ b/misc/README.md
@@ -0,0 +1,17 @@
+# Miscellaneous scripts
+
+Scripts which haven't found another home yet.
+
+
+## `add-user.sh`
+
+Wrapper around some `invenio` commands for managing user roles.
+This script should be executed from within the project directory, as it uses `pipenv run`.
+
+
+### Requirements
+
+* `bash`
+* `pipenv`
+* `invenio` (with module `Invenio-Utilities-TUW`)
+* `fzf`
diff --git a/misc/add-role.sh b/misc/add-role.sh
new file mode 100755
index 0000000000000000000000000000000000000000..d6b771bdeac5d74c1d8b4bf94a07aaa8d4b37a32
--- /dev/null
+++ b/misc/add-role.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+role="trusted-user"
+add="add"
+show_all="0"
+while getopts "r:haR" arg; do
+ case "${arg}" in
+ r)
+ role="${OPTARG}"
+ ;;
+ a)
+ show_all="1"
+ ;;
+ R)
+ add="remove"
+ ;;
+ *)
+ echo "usage: $0 [options...]"
+ echo " -r ROLE role to add/remove"
+ echo " -R remove role instead"
+ echo " -a list all users (do not filter)"
+ exit
+ esac
+done
+
+# filter down users to only those who (don't) have the role
+users=$(pipenv --quiet run invenio tuw users list -rna 2>/dev/null)
+if [[ "${show_all}" -eq 0 ]]; then
+ if [[ "${add}" = "add" ]]; then
+ users=$(echo "${users}" | grep -ve "'${role}'")
+ else
+ users=$(echo "${users}" | grep -e "'${role}'")
+ fi
+fi
+
+# query for the user
+email="$(echo "${users}" | cut -d ' ' -f 2- | fzf --prompt "${add} ${role}>" | cut -d ' ' -f 1)"
+
+if [[ -n "${email}" ]]; then
+ if [[ "${add}" = "add" ]]; then
+ echo "adding role ${role} to ${email}"
+ pipenv --quiet run invenio roles add "${email}" "${role}"
+ else
+ echo "removing role ${role} from ${email}"
+ pipenv --quiet run invenio roles remove "${email}" "${role}"
+ fi
+else
+ echo >&2 "no user selected, aborting"
+fi