diff --git a/modules/webaccess/lib/Makefile.am b/modules/webaccess/lib/Makefile.am
index aa8390147..58c645907 100644
--- a/modules/webaccess/lib/Makefile.am
+++ b/modules/webaccess/lib/Makefile.am
@@ -1,39 +1,41 @@
 ## $Id$
 
 ## This file is part of CDS Invenio.
 ## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 CERN.
 ##
 ## CDS Invenio is free software; you can redistribute it and/or
 ## modify it under the terms of the GNU General Public License as
 ## published by the Free Software Foundation; either version 2 of the
 ## License, or (at your option) any later version.
 ##
 ## CDS Invenio is distributed in the hope that it will be useful, but
 ## WITHOUT ANY WARRANTY; without even the implied warranty of
 ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 ## General Public License for more details.
 ##
 ## You should have received a copy of the GNU General Public License
 ## along with CDS Invenio; if not, write to the Free Software Foundation, Inc.,
 ## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
 
 pylibdir = $(libdir)/python/invenio
 
 pylib_DATA = access_control_engine.py \
              access_control_config.py \
              access_control_admin.py \
              access_control_mailcookie.py \
              access_control_firerole.py \
              access_control_firerole_tests.py \
              webaccessadmin_lib.py \
              external_authentication_cern.py \
              external_authentication.py \
              external_authentication_ldap.py \
              external_authentication_cern_wrapper.py \
              external_authentication_cern_tests.py \
              external_authentication_sso.py \
              webaccess_regression_tests.py
 
+noinst_DATA = collection_restrictions_migration_kit.py
+
 EXTRA_DIST = $(pylib_DATA)
 
 CLEANFILES = *~ *.tmp *.pyc
diff --git a/modules/webaccess/lib/collection_restrictions_migration_kit.py b/modules/webaccess/lib/collection_restrictions_migration_kit.py
new file mode 100644
index 000000000..522a7ac9b
--- /dev/null
+++ b/modules/webaccess/lib/collection_restrictions_migration_kit.py
@@ -0,0 +1,89 @@
+## $Id$
+
+## This file is part of CDS Invenio.
+## Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007 CERN.
+##
+## CDS Invenio is free software; you can redistribute it and/or
+## modify it under the terms of the GNU General Public License as
+## published by the Free Software Foundation; either version 2 of the
+## License, or (at your option) any later version.
+##
+## CDS Invenio is distributed in the hope that it will be useful, but
+## WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+## General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with CDS Invenio; if not, write to the Free Software Foundation, Inc.,
+## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+
+"""
+This script will migrate restricted collection to previous Apache only
+method to enhanced FireRole/WebAccess aware mode.
+"""
+
+from invenio.dbquery import run_sql
+from invenio.access_control_admin import acc_add_authorization, acc_add_role
+from invenio.access_control_firerole import compile_role_definition, serialize
+from invenio.access_control_config import VIEWRESTRCOLL
+try:
+    set()
+except NameError:
+    from sets import Set as set
+
+CFG_PROPOSED_ROLE_NAME = "%s group"
+CFG_PROPOSED_ROLE_DESCRIPTION = "Group to access the following restricted collection(s): %s."
+
+def retrieve_restricted_collection():
+    """Return a dictionary with collectionname -> apache group."""
+
+    res = run_sql('SELECT name, restricted FROM collection WHERE restricted<>""')
+    if res:
+        return dict(res)
+    else:
+        return {}
+
+def get_collections_for_group(restrictions, given_group):
+    """Return a list of collections name accessible by the given group."""
+    collections = []
+    for collection, group in restrictions.iteritems():
+        if group == given_group:
+            collections.append(collection)
+    return collections
+
+def create_needed_roles(restrictions, apache_group):
+    """Create a role for the corresponding apache_group."""
+
+    role_name = CFG_PROPOSED_ROLE_NAME % apache_group
+    role_description = CFG_PROPOSED_ROLE_DESCRIPTION % ', '.join(get_collections_for_group(restrictions, apache_group))
+    role_definition_src = 'allow apache_group "%s"' % apache_group
+    print "Creating role '%s' ('%s') with firerole '%s'..." % (role_name, role_description, role_definition_src),
+    res = acc_add_role(role_name, role_description, serialize(compile_role_definition(role_definition_src)), role_definition_src)
+    if res == 0:
+        print "Already existed!"
+    else:
+        print "OK!"
+    return role_name
+
+def migrate_restricted_collection(collection_name, role_name):
+    """Migrate a single collection restriction."""
+
+    print "Adding authorization to role '%s' for viewing collection '%s'..." % (role_name, collection_name),
+    acc_add_authorization(role_name, VIEWRESTRCOLL, collection=collection_name)
+    print "OK!"
+
+def migrate():
+    """Core."""
+    restrictions = retrieve_restricted_collection()
+    apache_groups = set(restrictions.values())
+
+    print "%i restrictions to migrate" % len(restrictions.keys())
+    print "%i roles to create" % len(apache_groups)
+    role_names = {}
+    for apache_group in apache_groups:
+        role_names[apache_group] = create_needed_roles(restrictions, apache_group)
+    for collection_name, apache_group in restrictions.iteritems():
+        migrate_restricted_collection(collection_name, role_names[apache_group])
+
+if __name__ == "__main__":
+    migrate()
\ No newline at end of file