diff --git a/backend/src/db/migrations/20260222120000-public-permissions.js b/backend/src/db/migrations/20260222120000-public-permissions.js
new file mode 100644
index 0000000..4e2a1d6
--- /dev/null
+++ b/backend/src/db/migrations/20260222120000-public-permissions.js
@@ -0,0 +1,41 @@
+module.exports = {
+  async up(queryInterface, Sequelize) {
+    const createdAt = new Date();
+    const updatedAt = new Date();
+
+    const [roles] = await queryInterface.sequelize.query(
+      `SELECT id FROM "roles" WHERE name = 'Public' LIMIT 1;`
+    );
+    const publicRoleId = roles[0]?.id;
+
+    if (!publicRoleId) return;
+
+    const [permissions] = await queryInterface.sequelize.query(
+      `SELECT id, name FROM "permissions" WHERE name IN ('READ_CASINO_HOTELS', 'READ_AMENITIES');`
+    );
+
+    if (permissions.length === 0) return;
+
+    const rolePermissions = permissions.map(p => ({
+      createdAt,
+      updatedAt,
+      roles_permissionsId: publicRoleId,
+      permissionId: p.id
+    }));
+
+    await queryInterface.bulkInsert('rolesPermissionsPermissions', rolePermissions);
+  },
+
+  async down(queryInterface, Sequelize) {
+    const [roles] = await queryInterface.sequelize.query(
+      `SELECT id FROM "roles" WHERE name = 'Public' LIMIT 1;`
+    );
+    const publicRoleId = roles[0]?.id;
+
+    if (!publicRoleId) return;
+
+    await queryInterface.sequelize.query(
+      `DELETE FROM "rolesPermissionsPermissions" WHERE "roles_permissionsId" = '${publicRoleId}';`
+    );
+  }
+};