diff --git a/services/web/scripts/back_fill_staff_access.js b/services/web/scripts/back_fill_staff_access.js
new file mode 100644
index 0000000000..407c87eb1a
--- /dev/null
+++ b/services/web/scripts/back_fill_staff_access.js
@@ -0,0 +1,93 @@
+const { db, waitForDb } = require('../app/src/infrastructure/mongodb')
+const { ReadPreference } = require('mongodb')
+const UserSessionsManager = require('../app/src/Features/User/UserSessionsManager')
+
+const COMMIT = process.argv.includes('--commit')
+const KEEP_SESSIONS = process.argv.includes('--keep-sessions')
+
+const FULL_STAFF_ACCESS = {
+  publisherMetrics: true,
+  publisherManagement: true,
+  institutionMetrics: true,
+  institutionManagement: true,
+  groupMetrics: true,
+  groupManagement: true,
+  adminMetrics: true,
+  splitTestMetrics: true,
+  splitTestManagement: true,
+}
+
+function doesNotHaveFullStaffAccess(user) {
+  if (!user.staffAccess) {
+    return true
+  }
+  for (const field of Object.keys(FULL_STAFF_ACCESS)) {
+    if (!user.staffAccess[field]) {
+      return true
+    }
+  }
+  return false
+}
+
+function formatUser(user) {
+  user = Object.assign({}, user, user.staffAccess)
+  delete user.staffAccess
+  return user
+}
+
+async function main() {
+  await waitForDb()
+  const adminUsers = await db.users
+    .find(
+      { isAdmin: true },
+      {
+        projection: {
+          _id: 1,
+          email: 1,
+          staffAccess: 1,
+        },
+        readPreference: ReadPreference.SECONDARY,
+      }
+    )
+    .toArray()
+
+  console.log('All Admin users:')
+  console.table(adminUsers.map(formatUser))
+
+  const incompleteUsers = adminUsers.filter(doesNotHaveFullStaffAccess)
+  if (incompleteUsers.length === 0) {
+    console.warn('All Admin users have full staff access.')
+    return
+  }
+
+  console.log()
+  console.log('Incomplete staff access:')
+  console.table(incompleteUsers.map(formatUser))
+
+  if (COMMIT) {
+    for (const user of incompleteUsers) {
+      console.error(
+        `Granting ${user.email} (${user._id.toString()}) full staff access`
+      )
+      await db.users.updateOne(
+        { _id: user._id, isAdmin: true },
+        { $set: { staffAccess: FULL_STAFF_ACCESS } }
+      )
+      if (!KEEP_SESSIONS) {
+        await UserSessionsManager.promises.revokeAllUserSessions(user, [])
+      }
+    }
+  } else {
+    console.warn('Use --commit to grant missing staff access.')
+  }
+}
+
+main()
+  .then(() => {
+    console.error('Done.')
+    process.exit(0)
+  })
+  .catch(error => {
+    console.error({ error })
+    process.exit(1)
+  })