diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
index 824ea18b9f..bc26bc76a7 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -355,6 +355,10 @@ default_wrap = False
 # analytics_tool = # choose from google_analytics, segment, or metarouter
 # analytics_id = XXXXXXXXXXX
 
+# Update FAB permissions and sync security manager roles
+# on webserver startup
+update_fab_perms = True
+
 [email]
 email_backend = airflow.utils.email.send_email_smtp
 
diff --git a/airflow/www/app.py b/airflow/www/app.py
index 71cfc3fc89..71f77b1a4d 100644
--- a/airflow/www/app.py
+++ b/airflow/www/app.py
@@ -102,7 +102,8 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"):
             app,
             db.session if not session else session,
             security_manager_class=security_manager_class,
-            base_template='appbuilder/baselayout.html')
+            base_template='appbuilder/baselayout.html',
+            update_perms=conf.getboolean('webserver', 'UPDATE_FAB_PERMS'))
 
         def init_views(appbuilder):
             from airflow.www import views
@@ -191,8 +192,9 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"):
         init_views(appbuilder)
         init_plugin_blueprints(app)
 
-        security_manager = appbuilder.sm
-        security_manager.sync_roles()
+        if conf.getboolean('webserver', 'UPDATE_FAB_PERMS'):
+            security_manager = appbuilder.sm
+            security_manager.sync_roles()
 
         from airflow.www.api.experimental import endpoints as e
         # required for testing purposes otherwise the module retains
diff --git a/docs/faq.rst b/docs/faq.rst
index 05f499d762..f23276730f 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -214,3 +214,8 @@ Why next_ds or prev_ds might not contain expected values?
   ``execution_date`` and ``schedule_interval``. If you set ``schedule_interval`` as ``None`` or ``@once``,
   the ``next_ds``, ``next_ds_nodash``, ``prev_ds``, ``prev_ds_nodash`` valueS will be set to ``None``.
 - When manually triggering DAG, the schedule will be ignored, and ``prev_ds == next_ds == ds``
+
+How do I stop the sync perms happening multiple times per webserver?
+--------------------------------------------------------------------
+
+Set the value of ``update_fab_perms`` configuration in ``airflow.cfg`` to ``False``.