diff --git a/AGENTS.md b/AGENTS.md
index a51acdd..e708fe7 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -108,4 +108,4 @@ custom classes must fully style the input
 - **Always** invoke `mix ecto.gen.migration migration_name_using_underscores` when generating migration files, so the correct timestamp and conventions are applied
 <!-- phoenix:ecto-end -->
 
-<!-- usage-rules-end -->
\ No newline at end of file
+<!-- usage-rules-end -->
diff --git a/lib/policy_service_web/plugs/authorization_plug.ex b/lib/policy_service_web/plugs/authorization_plug.ex
index e920e01..d0b6265 100644
--- a/lib/policy_service_web/plugs/authorization_plug.ex
+++ b/lib/policy_service_web/plugs/authorization_plug.ex
@@ -18,10 +18,14 @@ defmodule PolicyServiceWeb.Plugs.AuthorizationPlug do
   - :resource_owner_check - Function to check if user owns the resource (optional)
   """
   def init(opts) do
+    required_permission = Keyword.get(opts, :required_permission, nil)
+    required_scopes = Keyword.get(opts, :required_scopes, [])
+    resource_owner_check = Keyword.get(opts, :resource_owner_check, nil)
+
     %{
-      required_roles: Keyword.get(opts, :required_roles, []),
-      required_scopes: Keyword.get(opts, :required_scopes, []),
-      resource_owner_check: Keyword.get(opts, :resource_owner_check, nil)
+      required_permission: required_permission,
+      required_scopes: required_scopes,
+      resource_owner_check: resource_owner_check
     }
   end
 
@@ -57,12 +61,12 @@ defmodule PolicyServiceWeb.Plugs.AuthorizationPlug do
     :ok
   end
 
-  defp check_roles(user_roles, required_roles) do
-    if has_any_role?(user_roles, required_roles) do
+  defp check_roles(user_roles, required_permission) do
+    if has_any_role?(user_roles, required_permission) do
       :ok
     else
       Logger.warning(
-        "User with roles #{inspect(user_roles)} lacks required roles: #{inspect(required_roles)}"
+        "User with roles #{inspect(user_roles)} lacks required permission: #{inspect(required_permission)}"
       )
 
       {:error, :insufficient_role}
diff --git a/lib/policy_service_web/router.ex b/lib/policy_service_web/router.ex
index 4120746..95f0615 100644
--- a/lib/policy_service_web/router.ex
+++ b/lib/policy_service_web/router.ex
@@ -28,10 +28,12 @@ defmodule PolicyServiceWeb.Router do
     scope "/v1" do
       pipe_through [:authenticated, :authorized]
 
-      get "/policies", PolicyController, :index
-      get "/policies/:application_id", PolicyController, :show
-      post "/policies", PolicyController, :create
-      post "/policies/:application_id/accept", PolicyController, :accept
+      get "/policies", PolicyController, :index, required_permission: "policy:read"
+      get "/policies/:application_id", PolicyController, :show, required_permission: "policy:read"
+      post "/policies", PolicyController, :create, required_permission: "policy:create_request"
+
+      post "/policies/:application_id/accept", PolicyController, :accept,
+        required_permission: "policy:submit_solicitation"
     end
   end