diff --git a/backend/src/main/resources/db/migration/V11__add_annotate_all_permission.sql b/backend/src/main/resources/db/migration/V11__add_annotate_all_permission.sql
new file mode 100644
index 00000000..4c797f6c
--- /dev/null
+++ b/backend/src/main/resources/db/migration/V11__add_annotate_all_permission.sql
@@ -0,0 +1,7 @@
+-- Grant ANNOTATE_ALL to every group that already has ADMIN.
+-- New installs get it via DataInitializer; this covers existing deployments.
+INSERT INTO group_permissions (group_id, permission)
+SELECT g.id, 'ANNOTATE_ALL'
+FROM user_groups g
+WHERE g.id IN (SELECT group_id FROM group_permissions WHERE permission = 'ADMIN')
+  AND g.id NOT IN (SELECT group_id FROM group_permissions WHERE permission = 'ANNOTATE_ALL');