# Permify MCP

> Permify manages complex access control policies and authorization models directly from your agent. Use this MCP to write, read, and test fine-grained schemas, define how users relate to resources, and perform real-time permission checks without touching a database. Manage multi-tenant environments and audit relationships across entire systems.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** iam, authorization, rbac, abac, rebac, access-control

## Description

This connector lets you build and enforce robust authorization logic using natural language commands through your agent. Instead of manually writing SQL queries or navigating complex dashboard menus, you define the rules governing who can access what data.

Need to check if a user has permission to edit a specific document? You ask your agent, and it performs the necessary resource-based checks instantly. Want to see all the different ways users interact with your system? You run relationship audits to map every connection. The entire process of defining schemas, managing data tuples, and checking permissions happens in one conversational flow.

Because Vinkius hosts this MCP, you connect once from any compatible client—be it Claude, Cursor, or Windsurf—and get immediate access to the full suite of authorization tools needed for modern application security.

## Tools

### bulk_check_permissions
Checks multiple permissions across several resources in one request.

### check_permission
Performs a single, resource-based authorization check for immediate validation.

### create_tenant
Sets up an entirely new, isolated client environment or tenant.

### delete_bundle
Removes a pre-defined collection of policy rules or data bundles.

### delete_data
Clears out stored relationship tuples and associated attributes.

### delete_tenant
Permanently removes an existing tenant environment from the system.

### expand_permissions
Retrieves every subject that is related to a specified entity, mapping out connections.

### list_schemas
Returns a list of all available schema versions for a specific tenant.

### list_tenants
Retrieves a comprehensive list of every active tenant in the system.

### lookup_entity
Identifies which resources an individual user has permission to perform actions on.

### lookup_subject
Determines which subjects are capable of performing a specified action against a resource.

### partial_write_schema
Updates an authorization model schema by only modifying specific parts of the existing policy.

### read_attributes
Queries and retrieves stored, non-relational data attributes used in policies.

### read_bundle
Retrieves the detailed configuration and rules of a specific policy bundle.

### read_relationships
Queries and reads stored relational tuples, mapping connections between subjects and resources.

### read_schema
Inspects the full details of a specific schema version for review.

### run_bundle
Executes a predefined policy bundle to test its impact or generate results.

### subject_permission
Lists all specific permissions that a user is authorized to use on an entity.

### write_bundle
Defines or updates the ruleset for data bundles, creating new policy definitions.

### write_data
Creates and stores new relationship tuples or attribute data points.

### write_schema
Writes a brand-new authorization model schema from scratch for the system.

## Prompt Examples

**Prompt:** 
```
Check if user 'user:123' has 'edit' permission on 'document:doc-001' in tenant 'default'.
```

**Response:** 
```
I've performed the check using `check_permission`. The result is 'ALLOWED'. User 123 has the necessary edit rights for that document.
```

**Prompt:** 
```
List all schema versions for tenant 'production-v1'.
```

**Response:** 
```
Fetching schema history... I found 3 versions for 'production-v1'. The latest version is 'v20231027-01'. Would you like to inspect its details using `read_schema`?
```

**Prompt:** 
```
Create a new tenant called 'client-alpha-test'.
```

**Response:** 
```
Executing `create_tenant`... Success! The tenant 'client-alpha-test' has been created with ID 'cat-9920'. You can now start writing its authorization schema.
```

## Capabilities

### Verify permissions across groups
Run bulk checks to confirm if a group of users has access rights to multiple resources simultaneously.

### Audit user relationships
Retrieve every subject linked to an entity, showing exactly who has established connections with that resource.

### Model authorization structures
Write or update the underlying schemas and models that define your entire access control policy.

### Map user roles to resources
Find out which specific resources a given user can perform an action on, based on current policies.

### Manage isolated environments
Create and delete completely separate tenants, allowing you to test policies for different clients without interference.

## Use Cases

### A client needs to verify if a new integration user has adequate rights.
Instead of asking the DBA to run a dozen permission checks, you ask your agent: 'Does user X have read and write access on document Y?' The agent executes `check_permission` and gives you an immediate ALLOWED or DENIED status.

### A team needs to map out all historical data connections for compliance.
You prompt your agent to audit a specific resource, asking it to use `expand_permissions`. The agent returns every single subject that has ever interacted with the resource, solving the compliance mapping problem.

### A developer needs to test a policy change for a new client.
You instruct your agent to first run `create_tenant` to build 'client-beta'. Then you use `write_schema` and `write_data` within that isolated tenant to simulate the full access model before deploying anything live.

### The system needs to confirm if all policy rules are up to date after a major release.
You ask your agent to run `list_schemas` for the production environment, compare it against the last known good schema version using `read_schema`, and flag any discrepancies immediately.

## Benefits

- Stop relying on guesswork when auditing. Use `expand_permissions` to instantly see every single subject connected to a resource, giving you a complete relationship graph view.
- Testing policies used to be slow. Now, use `write_schema` or `partial_write_schema` to define and test models rapidly, letting your agent handle the structure updates for you.
- Forget manually querying data tables. The MCP lets you write and read complex relationship tuples using `write_data` and `read_relationships`, keeping all user-resource connections centralized.
- When a client needs dedicated testing, use `create_tenant`. This allows your agent to provision an isolated environment, ensuring policy changes don't affect production systems.
- Need quick validation? Run multiple checks at once with `bulk_check_permissions` instead of writing dozens of individual API calls for high-scale enterprise auditing.

## How It Works

The bottom line is you use natural conversation to manage complex security policies instead of writing code or executing multiple API endpoints manually.

1. First, subscribe to the MCP and provide your Permify API URL and Secret Token credentials.
2. Next, prompt your agent with a natural language request, such as checking permissions or listing tenants.
3. Your agent executes the necessary tool calls against the MCP, returning an immediate, actionable result.

## Frequently Asked Questions

**How do I check if two different users have conflicting permissions using Permify?**
You can use `bulk_check_permissions`. This tool lets you test multiple user access scenarios simultaneously, confirming any conflicts or overlaps in a single request.

**Can the Permify MCP help me manage multiple clients?**
Yes. You use the `create_tenant` and `delete_tenant` tools to set up completely isolated environments for each client, keeping their policies separate and secure.

**What is the difference between writing data and writing a schema with Permify?**
Writing data uses `write_data` to save specific relationship tuples (e.g., 'User A relates to Document B'). Writing a schema (`write_schema`) defines the *rules* that govern all possible relationships.

**Do I need to run multiple checks every time I want to verify access?**
No. Instead of running many individual `check_permission` calls, you can use `lookup_entity`. This tool quickly shows what resources a user is authorized for based on the underlying policies.

**Can Permify MCP help me view schema history?**
Yes. You first run `list_schemas` to get all version IDs, then use `read_schema` with a specific ID to inspect that model’s full details.