# Permit.io MCP

> Permit.io lets you manage application authorization and access control policies conversationally. It handles complex rules—like checking if a user can read a document based on their department or role, or defining relationships between resources. Use it to build robust, fine-grained permission layers without writing code.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** authorization, rbac, rebac, abac, policy-as-code, access-control

## Description

Stop building custom backend endpoints just to check basic permissions. This MCP connects your authorization layer to any AI agent, letting you govern access rules using plain language prompts. You can define roles and resources dynamically, whether you're setting up a brand new feature or auditing existing policies. Need to know if 'admin@company.com' can delete a file in the production environment? Your agent handles that check instantly. It also lets you provision users and tenants directly into your authorization system for testing or setup. When you connect this MCP via Vinkius, you get immediate access to industry-standard tools like AuthZen evaluation, meaning you don’t have to worry about vendor lock-in when checking permissions across different services. You manage the entire schema—creating roles, defining resources, and mapping complex relationships—all through your agent's conversation.

## Tools

### assign_permissions_to_role
Attaches specific permissions to an existing group role.

### assign_role_to_user
Gives a user a defined role within their tenant.

### authzen_access_evaluation
Performs standardized checks to validate if a subject has access to an action on a resource.

### authzen_action_search
Searches available actions that can be applied in the authorization schema.

### authzen_bulk_evaluations
Runs multiple access evaluations at once for large-scale policy testing.

### authzen_resource_search
Searches available resources that can be protected by policies.

### authzen_subject_search
Searches existing user subjects for standardized policy checking.

### bulk_assign_roles
Assigns roles to many users in a single batch operation (up to 2000).

### bulk_create_tenants
Creates multiple new isolated tenants at once (up to 2000).

### bulk_create_users
Creates many user accounts in a batch process (up to 3000).

### bulk_relationship_tuples
Adds multiple relationship links between resources simultaneously (up to 1000).

### check_permission
Determines if a user can execute a specific action on a resource.

### create_relation
Establishes a complex relationship link between two resources.

### create_relationship_tuple
Creates a single, specific relationship link between resources.

### create_resource
Adds a brand new type of resource into the system schema for protection.

### create_role
Defines a new group role that can be assigned to users.

### create_tenant
Creates a new isolated organizational environment (tenant).

### create_user
Adds a brand new user account into the system.

## Prompt Examples

**Prompt:** 
```
Check if user 'admin@company.com' is permitted to 'delete' the 'server' resource in tenant 'production'.
```

**Response:** 
```
I've evaluated the permission. The user 'admin@company.com' is **permitted** to perform the 'delete' action on the 'server' resource in the 'production' tenant.
```

**Prompt:** 
```
Create a new resource 'document' with actions 'read', 'write', and 'share' in project 'my-app' environment 'dev'.
```

**Response:** 
```
I have successfully created the 'document' resource with the specified actions in your 'dev' environment.
```

**Prompt:** 
```
Assign the permissions 'document:read' and 'document:write' to the 'editor' role in project 'my-app' environment 'dev'.
```

**Response:** 
```
The 'editor' role has been updated. It now has 'read' and 'write' permissions for the 'document' resource.
```

## Capabilities

### Evaluate access rights
The system checks if a specific user has permission to perform an action on a designated resource.

### Define and organize structure
You can create new resources, define roles, or map relationships between existing data objects.

### Manage user and tenant accounts
The MCP lets you provision users or tenants in bulk, keeping your authorization environment up-to-date.

### Update role assignments
You can assign permissions to a whole group (a role) or give a specific user a role within their tenant.

## Use Cases

### Auditing a new client portal
A security engineer needs to ensure that only premium users can view the 'advanced analytics' resource. Instead of manually checking database tables, they prompt their agent: 'Check if any user without the 'premium_client' role can access the advanced analytics.' The agent uses check_permission and returns a definitive audit report.

### Onboarding a massive client base
A platform team needs to set up 5,000 new tenants and assign them default 'read-only' roles. They use bulk_create_tenants followed by bulk_assign_roles, automating the setup process that would normally take days of manual scripting.

### Implementing ownership rules
A developer is building a document management system where only the creator should be able to delete a file. They use create_relation and then check_permission to enforce this complex, resource-specific rule set without writing custom database triggers.

### Testing role changes quickly
A product manager wants to see if giving 'junior' users the 'project:read' permission breaks anything. They use assign_permissions_to_role and then run authzen_bulk_evaluations on test accounts before committing any code.

## Benefits

- You gain instant policy evaluation via check_permission, allowing your agent to answer complex questions like 'Can X do Y?' in real-time, eliminating the need for custom permission microservices.
- The MCP manages full authorization schema definition. You can use create_resource and create_role to build out entirely new protected features just by defining their rules, not writing code.
- Managing user data is easy: Use bulk_create_users or bulk_create_tenants to provision thousands of accounts in a single conversational step, drastically cutting setup time for large deployments.
- Complex relationships are handled with tools like create_relation and bulk_relationship_tuples. You can model ownership and hierarchical permissions (ReBAC) directly through your agent's prompts.
- The system supports standardized AuthZen evaluation tools. This means the policies you define today will work reliably, even if you switch underlying access control technologies later on.

## How It Works

The bottom line is, you treat complex access control logic like talking to an expert security engineer who lives inside your agent.

1. Subscribe to the MCP and enter your Permit.io API Key, optionally including your PDP URL.
2. Tell your agent what you want to do—for example, 'Check if this user can access resource X.'
3. The system runs the check against your defined policies and sends back a definitive answer: permitted or denied.

## Frequently Asked Questions

**How does Permit.io MCP handle bulk user creation?**
You use bulk_create_users to add thousands of accounts in a single conversational command, saving massive amounts of manual scripting time for platform teams.

**Can I check permissions without writing code using the Permit.io MCP?**
Yes, you prompt your agent with an access query, and it uses check_permission to evaluate the rule against your entire defined policy structure in real-time.

**What is ReBAC and how do I set it up with Permit.io MCP?**
ReBAC (Relationship-Based Access Control) handles ownership, meaning access depends on relationships between resources. You use create_relation or bulk_relationship_tuples to define these complex links.

**Does the MCP support multiple client types for governance?**
Yes, it works with any MCP-compatible client, letting you govern your permissions whether you're working in VS Code, Cursor, or directly through a terminal agent.