# Permify MCP

> Permify manages fine-grained authorization and access control rules. Write custom schemas, define how users connect to resources, and perform instant permission checks using natural language prompts. It's your single point of truth for complex identity and access management (IAM) policies across multiple isolated client environments.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** iam, authorization, rbac, abac, rebac, access-control

## Description

Need to know who can do what on which resource? This MCP lets you build and manage those rules directly with your agent. You write authorization models—the actual schemas—for specific clients, defining the precise permissions they have. It handles everything from writing basic data records that define relationships to checking if a user is allowed to view a document or delete a record. If you're managing multiple client environments, you can create and isolate those tenants in one place. When you connect it through Vinkius, your agent accesses the entire catalog of tools, giving you total control over your access policies without needing raw API calls.

## Tools

### bulk_check_permissions
Checks if a user has the required rights to perform an action on multiple resources in one request.

### check_permission
Performs a single check to determine if a user is allowed access to a specific resource.

### create_tenant
Sets up an entirely new, isolated client environment within Permify.

### delete_bundle
Removes a predefined set of access rules or policies that were grouped together.

### delete_data
Deletes specific relationship tuples and associated attribute data records.

### delete_tenant
Permanently removes an entire client environment or tenant from the system.

### expand_permissions
Retrieves a list of all users who have any relationship connection to a specific entity.

### list_schemas
Lists every version of the authorization model schema that exists for a given tenant.

### list_tenants
Provides an overview list of all active client tenants managed by Permify.

### lookup_entity
Finds which specific resources a user is permitted to act upon.

### lookup_subject
Determines which subjects or users are capable of performing an action on a specified entity.

### partial_write_schema
Updates only a small part of an existing, defined authorization model schema without overwriting everything.

### read_attributes
Queries and reads specific pieces of stored attribute data attached to records.

### read_bundle
Retrieves the full details for a predefined group or bundle of access rules.

### read_relationships
Queries and reads all stored records that define how two entities relate to each other.

### read_schema
Inspects the full details of a specific, named version of an authorization model schema.

### run_bundle
Executes a predefined collection of access rules or policies to validate behavior.

### subject_permission
Lists all possible actions (permissions) that a single user can perform on an entity.

### write_bundle
Defines or updates a group of access rules, treating them as a cohesive unit.

### write_data
Creates new relationship tuples and writes attribute data to the system.

### write_schema
Writes or creates an entirely new authorization model schema for a tenant.

## Prompt Examples

**Prompt:** 
```
Check if user 'user:123' has 'edit' permission on 'document:doc-001' in tenant 'default'.
```

**Response:** 
```
I've performed the check using `check_permission`. The result is 'ALLOWED'. User 123 has the necessary edit rights for that document.
```

**Prompt:** 
```
List all schema versions for tenant 'production-v1'.
```

**Response:** 
```
Fetching schema history... I found 3 versions for 'production-v1'. The latest version is 'v20231027-01'. Would you like to inspect its details using `read_schema`?
```

**Prompt:** 
```
Create a new tenant called 'client-alpha-test'.
```

**Response:** 
```
Executing `create_tenant`... Success! The tenant 'client-alpha-test' has been created with ID 'cat-9920'. You can now start writing its authorization schema.
```

## Capabilities

### Validate User Access
The MCP performs resource-based checks to confirm if a specific user has the necessary rights to perform an action on a given asset.

### Audit Relationship Graphs
It retrieves all stored relationship tuples, letting you map out exactly who is connected to what entity within your system.

### Define Authorization Models
You can write or partially update the core rule sets (schemas) that govern how permissions work for a client tenant.

### Manage Client Boundaries
The system allows you to create, list, and delete completely separate tenants, keeping different clients' rules isolated.

### Bulk Permission Validation
Instead of checking permissions one by one, the MCP runs large batches of validation checks in a single operation.

## Use Cases

### Onboarding a New Client
A DevOps Engineer needs to provision an entirely new client environment. They ask their agent to use the `create_tenant` tool, which instantly spins up the isolated tenant ID and allows them to immediately start writing its specific rules without touching the infrastructure console.

### Debugging Access Issues
A Security Engineer notices a user is blocked. Instead of guessing, they ask their agent to run `lookup_entity` for that user and entity. The agent shows all possible actions and confirms exactly why the access fails.

### Policy Update Automation
A Backend Developer needs to update a core system policy. They use `partial_write_schema` to adjust only one small rule within a massive authorization model, ensuring they don't accidentally break unrelated access rights.

### Full System Audit
The team must verify all current data connections for compliance. They prompt the agent to use `expand_permissions` on a critical asset, instantly listing every subject that has any relationship with it.

## Benefits

- Verify user permissions instantly. Instead of writing multiple `check_permission` calls, you ask your agent directly if a user can edit a document or delete a record.
- Audit relationships easily. Use the ability to query stored relational tuples via `read_relationships` to visualize every connection between subjects and assets without manual database queries.
- Handle multi-client setups simply. You use `list_tenants` to see all active clients, and `create_tenant` or `delete_tenant` keeps each client's rules totally separate.
- Improve development speed. Backend developers can quickly test new schemas by using `write_schema` and then validating the data with `write_data`, cutting down testing time dramatically.
- Scale your checks efficiently. When you need to validate hundreds of access rights, running a single request through `bulk_check_permissions` is far faster than looping through individual API calls.

## How It Works

The bottom line is you get a conversational interface to manage infrastructure that used to require dedicated API scripts.

1. Subscribe to this MCP and provide your Permify API URL and Secret Token credentials.
2. Connect your agent using your preferred AI client (like Claude or Cursor) through the Vinkius platform.
3. Start querying access policies, building schemas, or checking permissions via natural language prompts.

## Frequently Asked Questions

**How do I check if a user has permission using Permify MCP?**
You use the `check_permission` tool. Simply tell your agent which user, what resource, and what action you want to verify. The result is immediate and definitive.

**Can I manage multiple clients with Permify MCP?**
Yes, absolutely. You use `list_tenants` to see all current environments, and `create_tenant` or `delete_tenant` keeps each client's rules totally separated.

**What is the difference between write_schema and partial_write_schema in Permify MCP?**
`write_schema` creates an entire new model from scratch. Use `partial_write_schema` when you only want to tweak a few rules on an existing schema without touching everything else.

**Does Permify MCP handle large-scale checks?**
Yes. For high volumes of validation, use the `bulk_check_permissions` tool. It is designed to process many permissions in one efficient request.

**Where can I find out who has access to an entity using Permify MCP?**
You run `expand_permissions`. This function retrieves all subjects, or users, that have any defined relationship with the specific asset you name.