diff --git a/internal/db/migrations/postgres.gen.go b/internal/db/migrations/postgres.gen.go
index b6f3e0b372..01e7ba7749 100644
--- a/internal/db/migrations/postgres.gen.go
+++ b/internal/db/migrations/postgres.gen.go
@@ -541,9 +541,20 @@ create table iam_role (
     description text,
     scope_id wt_public_id not null references iam_scope(public_id) on delete cascade on update cascade,
     unique(name, scope_id),
-    disabled boolean not null default false
+    disabled boolean not null default false,
+    -- version allows optimistic locking of the role when modifying the role
+    -- itself and when modifying dependent items like principal roles. 
+    -- TODO (jlambert 6/2020) add before update trigger to automatically
+    -- increment the version when needed.  This trigger can be addded when PR
+    -- #126 is merged and update_version_column() is available.
+    version bigint not null default 1
   );
 
+-- create trigger 
+--   update_version_column
+-- before update on iam_role
+--   for each row execute procedure update_version_column();
+
 create trigger 
   update_time_column 
 before update on iam_role
diff --git a/internal/db/migrations/postgres/04_iam.up.sql b/internal/db/migrations/postgres/04_iam.up.sql
index b59a422fee..736c37ae6e 100644
--- a/internal/db/migrations/postgres/04_iam.up.sql
+++ b/internal/db/migrations/postgres/04_iam.up.sql
@@ -177,9 +177,20 @@ create table iam_role (
     description text,
     scope_id wt_public_id not null references iam_scope(public_id) on delete cascade on update cascade,
     unique(name, scope_id),
-    disabled boolean not null default false
+    disabled boolean not null default false,
+    -- version allows optimistic locking of the role when modifying the role
+    -- itself and when modifying dependent items like principal roles. 
+    -- TODO (jlambert 6/2020) add before update trigger to automatically
+    -- increment the version when needed.  This trigger can be addded when PR
+    -- #126 is merged and update_version_column() is available.
+    version bigint not null default 1
   );
 
+-- create trigger 
+--   update_version_column
+-- before update on iam_role
+--   for each row execute procedure update_version_column();
+
 create trigger 
   update_time_column 
 before update on iam_role
diff --git a/internal/iam/store/role.pb.go b/internal/iam/store/role.pb.go
index 6fde76a786..339a0ad549 100644
--- a/internal/iam/store/role.pb.go
+++ b/internal/iam/store/role.pb.go
@@ -53,6 +53,9 @@ type Role struct {
 	// disabled is by default false and allows a Role to be marked disabled.
 	// @inject_tag: `gorm:"default:null"`
 	Disabled bool `protobuf:"varint,9,opt,name=disabled,proto3" json:"disabled,omitempty" gorm:"default:null"`
+	// version allows optimistic locking of the role when modifying the role
+	// itself and when modifying dependent items like principal roles.
+	Version uint32 `protobuf:"varint,10,opt,name=version,proto3" json:"version,omitempty"`
 }
 
 func (x *Role) Reset() {
@@ -136,6 +139,13 @@ func (x *Role) GetDisabled() bool {
 	return false
 }
 
+func (x *Role) GetVersion() uint32 {
+	if x != nil {
+		return x.Version
+	}
+	return 0
+}
+
 var File_controller_storage_iam_store_v1_role_proto protoreflect.FileDescriptor
 
 var file_controller_storage_iam_store_v1_role_proto_rawDesc = []byte{
@@ -149,7 +159,7 @@ var file_controller_storage_iam_store_v1_role_proto_rawDesc = []byte{
 	0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2b,
 	0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x73, 0x74, 0x6f, 0x72, 0x61,
 	0x67, 0x65, 0x2f, 0x69, 0x61, 0x6d, 0x2f, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x76, 0x31, 0x2f,
-	0x73, 0x63, 0x6f, 0x70, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xaa, 0x02, 0x0a, 0x04,
+	0x73, 0x63, 0x6f, 0x70, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc4, 0x02, 0x0a, 0x04,
 	0x52, 0x6f, 0x6c, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x69,
 	0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x49,
 	0x64, 0x12, 0x4b, 0x0a, 0x0b, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65,
@@ -168,11 +178,13 @@ var file_controller_storage_iam_store_v1_role_proto_rawDesc = []byte{
 	0x6e, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20,
 	0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x08,
 	0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08,
-	0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x42, 0x3a, 0x5a, 0x38, 0x67, 0x69, 0x74, 0x68,
-	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
-	0x2f, 0x77, 0x61, 0x74, 0x63, 0x68, 0x74, 0x6f, 0x77, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x74, 0x65,
-	0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x69, 0x61, 0x6d, 0x2f, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3b, 0x73,
-	0x74, 0x6f, 0x72, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73,
+	0x69, 0x6f, 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69,
+	0x6f, 0x6e, 0x42, 0x3a, 0x5a, 0x38, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
+	0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x77, 0x61, 0x74, 0x63, 0x68,
+	0x74, 0x6f, 0x77, 0x65, 0x72, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x69,
+	0x61, 0x6d, 0x2f, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3b, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x62, 0x06,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
diff --git a/internal/proto/local/controller/storage/iam/store/v1/role.proto b/internal/proto/local/controller/storage/iam/store/v1/role.proto
index 4552770eb3..8209842491 100644
--- a/internal/proto/local/controller/storage/iam/store/v1/role.proto
+++ b/internal/proto/local/controller/storage/iam/store/v1/role.proto
@@ -35,4 +35,8 @@ message Role {
   // disabled is by default false and allows a Role to be marked disabled.
   // @inject_tag: `gorm:"default:null"`
   bool disabled = 9;
+
+  // version allows optimistic locking of the role when modifying the role
+  // itself and when modifying dependent items like principal roles.
+  uint32 version = 10;
 }