diff --git a/CHANGELOG.md b/CHANGELOG.md
index 82f1063350..673f2eefd3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -39,6 +39,10 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
 * cli: Ensure errors print to stderr when token is not found
   ([Issue](https://github.com/hashicorp/boundary/issues/791))
   ([PR](https://github.com/hashicorp/boundary/pull/799))
+* controller: Fix grant IDs being lowercased when being read back (and when
+  being used for permission evaluation)
+  ([Issue](https://github.com/hashicorp/boundary/issues/794))
+  ([PR](https://github.com/hashicorp/boundary/pull/839))
 
 ## v0.1.2
 
diff --git a/internal/perms/grants.go b/internal/perms/grants.go
index 81b5fe5243..a5487c9ea2 100644
--- a/internal/perms/grants.go
+++ b/internal/perms/grants.go
@@ -145,7 +145,7 @@ func (g *Grant) unmarshalJSON(data []byte) error {
 		if !ok {
 			return fmt.Errorf("unable to interpret %q as string", "id")
 		}
-		g.id = strings.ToLower(id)
+		g.id = id
 	}
 	if rawType, ok := raw["type"]; ok {
 		typ, ok := rawType.(string)
@@ -197,7 +197,7 @@ func (g *Grant) unmarshalText(grantString string) error {
 
 		switch kv[0] {
 		case "id":
-			g.id = strings.ToLower(kv[1])
+			g.id = kv[1]
 
 		case "type":
 			typeString := strings.ToLower(kv[1])
@@ -272,7 +272,7 @@ func Parse(scopeId, grantString string, opt ...Option) (Grant, error) {
 	// if so
 	if grant.id != "" && strings.HasPrefix(grant.id, "{{") {
 		id := strings.TrimSuffix(strings.TrimPrefix(grant.id, "{{"), "}}")
-		id = strings.ToLower(strings.TrimSpace(id))
+		id = strings.TrimSpace(id)
 		switch id {
 		case "user.id":
 			if opts.withUserId != "" {
diff --git a/internal/servers/controller/handlers/roles/role_service_test.go b/internal/servers/controller/handlers/roles/role_service_test.go
index 99a43b1e3f..fc084674e4 100644
--- a/internal/servers/controller/handlers/roles/role_service_test.go
+++ b/internal/servers/controller/handlers/roles/role_service_test.go
@@ -1423,7 +1423,7 @@ func checkEqualGrants(t *testing.T, expected []string, got *pb.Role) {
 		require.NoError(err)
 		assert.Equal(expected[i], got.GrantStrings[i])
 		assert.Equal(expected[i], got.Grants[i].GetRaw())
-		assert.Equal(parsed.CanonicalString(), got.Grants[i].GetCanonical())
+		assert.Equal(v, got.Grants[i].GetCanonical())
 		j := got.Grants[i].GetJson()
 		require.NotNil(j)
 		assert.Equal(parsed.Id(), j.GetId())
@@ -1463,9 +1463,9 @@ func TestAddGrants(t *testing.T) {
 		},
 		{
 			name:     "Add duplicate grant on role with grant",
-			existing: []string{"id=1;actions=read"},
+			existing: []string{"id=aA1;actions=read"},
 			add:      []string{"id=*;type=*;actions=delete", "id=*;type=*;actions=delete"},
-			result:   []string{"id=1;actions=read", "id=*;type=*;actions=delete"},
+			result:   []string{"id=aA1;actions=read", "id=*;type=*;actions=delete"},
 		},
 		{
 			name:     "Add grant matching existing grant",