diff --git a/db/seeds.rb b/db/seeds.rb
new file mode 100644
index 0000000000..3d2f8e8a66
--- /dev/null
+++ b/db/seeds.rb
@@ -0,0 +1 @@
+OpenProject::Reporting::DefaultData.load! unless Rails.env.test?
diff --git a/lib/open_project/reporting/default_data.rb b/lib/open_project/reporting/default_data.rb
new file mode 100644
index 0000000000..be7cbe4f6f
--- /dev/null
+++ b/lib/open_project/reporting/default_data.rb
@@ -0,0 +1,32 @@
+module OpenProject
+  module Reporting
+    module DefaultData
+      module_function
+
+      def load!
+        restrict_project_admin_permissions!
+      end
+
+      ##
+      # The Project Admin role is assigned all possible permission in
+      # the core's `roles.rb` seed. Here we remove those permissions
+      # which should not be assigned by default.
+      def restrict_project_admin_permissions!
+        role = project_admin_role or raise 'Project admin role not found'
+
+        role.remove_permission! *restricted_project_admin_permissions
+      end
+
+      def project_admin_role
+        Role.find_by name: I18n.t(:default_role_project_admin)
+      end
+
+      def restricted_project_admin_permissions
+        [
+          :save_cost_reports,
+          :save_private_cost_reports
+        ]
+      end
+    end
+  end
+end