diff --git a/control-admin/src/main/java/fi/nls/oskari/control/admin/LayerPermissionHandler.java b/control-admin/src/main/java/fi/nls/oskari/control/admin/LayerPermissionHandler.java
index 3e5e15d89..4815dafc9 100644
--- a/control-admin/src/main/java/fi/nls/oskari/control/admin/LayerPermissionHandler.java
+++ b/control-admin/src/main/java/fi/nls/oskari/control/admin/LayerPermissionHandler.java
@@ -1,10 +1,15 @@
 package fi.nls.oskari.control.admin;
 
 import fi.nls.oskari.annotation.OskariActionRoute;
+import fi.nls.oskari.cache.CacheManager;
 import fi.nls.oskari.control.ActionException;
 import fi.nls.oskari.control.ActionParameters;
+import fi.nls.oskari.control.ActionParamsException;
+import fi.nls.oskari.control.layer.GetMapLayerGroupsHandler;
 import fi.nls.oskari.domain.Role;
 import fi.nls.oskari.domain.map.OskariLayer;
+import fi.nls.oskari.log.LogFactory;
+import fi.nls.oskari.log.Logger;
 import fi.nls.oskari.map.layer.OskariLayerService;
 import fi.nls.oskari.service.OskariComponentManager;
 import fi.nls.oskari.service.ServiceException;
@@ -15,6 +20,7 @@
 import org.json.JSONArray;
 import org.json.JSONException;
 import org.json.JSONObject;
+import org.oskari.log.AuditLog;
 import org.oskari.permissions.PermissionService;
 import org.oskari.permissions.model.*;
 
@@ -41,6 +47,8 @@ public class LayerPermissionHandler extends AbstractLayerAdminHandler {
     private static final String KEY_LAYERS = "layers";
     private static final String KEY_PERMISSION = "permissions";
 
+    private final static Logger log = LogFactory.getLogger(LayerPermissionHandler.class);
+
     @Override
     public void init() {
         super.init();
@@ -105,7 +113,78 @@ public void handleGet(ActionParameters params) throws ActionException {
 
     @Override
     public void handlePost(ActionParameters params) throws ActionException {
-        // TODO: basically SaveLayerPermissionHandler, but check if the syntax still makes sense
+        //only accept admins
+        params.requireAdminUser();
+
+        final JSONArray resources = parseJSONArray(params.getHttpParam(KEY_LAYERS));
+        final List<String> layerMappings = new ArrayList<>();
+
+        try {
+            for (int i = 0; i < resources.length(); i++) {
+                final JSONObject layerPermission = resources.getJSONObject(i);
+                final String layerMapping = new Integer(layerPermission.getInt("id")).toString();
+                final Optional<Resource> dbResource = permissionsService.findResource(ResourceType.maplayer, layerMapping);
+                if (!dbResource.isPresent()) {
+                    throw new ActionParamsException("Resource not found: " + layerMapping);
+                }
+                Resource resource = dbResource.get();
+                final int roleId = Integer.parseInt(layerPermission.getString("roleId"));
+                JSONArray perm = layerPermission.getJSONArray("permissions");
+                final List<Permission> resourcePermissions = resource.getPermissions();
+
+                
+                for (int n = 0; n < resourcePermissions.size(); n++) {
+                    Permission permission = resourcePermissions.get(n);
+                    boolean found = false;
+                    String type = permission.getType();
+                    for (int j = 0; j < perm.length(); j++) {
+                        if (perm.getString(j).equals(type)) {
+                            found = true;
+                        }
+                    }
+                    if (!found) {
+                        // permission was REMOVED
+                        resource.removePermissionsOfType(type, PermissionExternalType.ROLE, roleId);
+                    }
+                }
+                for (int j = 0; j < perm.length(); j++) {
+                    String permissionType = perm.getString(j);
+
+                    if (!resource.hasRolePermission(roleId, permissionType)) {
+                        // permission was GRANTED
+                        Permission permission = new Permission();
+                        permission.setRoleId(roleId);
+                        permission.setType(permissionType);
+                        resource.addPermission(permission);
+                    }
+                }
+                permissionsService.saveResource(resource);
+                AuditLog.user(params.getClientIp(), params.getUser())
+                    .withParam("id", resource.getMapping())
+                    .updated(AuditLog.ResourceType.MAPLAYER_PERMISSION);
+                layerMappings.add(resource.getMapping());
+            }
+            ResponseHelper.writeResponse(params, "success");
+            flushLayerListCache();
+        } catch (JSONException e) {
+            throw new ActionParamsException("Invalid input");
+        } finally {
+            log.info("Layer permissions updated by", params.getUser().getScreenname(), "Layers updated:", layerMappings);
+        }
+    }
+
+    private void flushLayerListCache() {
+        CacheManager.getCache(GetMapLayerGroupsHandler.CACHE_NAME).flush(true);
+    }
+
+    private JSONArray parseJSONArray(final String jsonArray) throws ActionParamsException {
+        try {
+            final JSONArray resources = new JSONArray(jsonArray);
+            log.debug(" permissions JSON ", resources);
+            return resources;
+        } catch (Exception e) {
+            throw new ActionParamsException("Unable to parse param JSON:\n" + jsonArray);
+        }
     }
 
     private Role[] getRoles() {