We Let AI Handle User Permissions (And it Works)

Access control to sensitive information is a balancing act: too restrictive, and users can’t access the files they need. Too permissive and confidential data becomes at risk of exposure.

Usually, developers handle this by either static role-based permissions or manual classification. Both these methods have severe limitations and require constant oversight and human input.

But what if AI could classify and enforce access control for you?

The solution I suggest here is obviously far-from production ready. I’m not advising you go and implement this in a fintech company that handles sensitive user data, but I do believe AI can be a great tool to support automation (Coupled with human-based confirmation of said classification) within your access control layer, and that this is an interesting angle to explore. I've already seen some interesting use case suggestions for this, and I'd love to hear more.

In this blog, I want to show how LLMs can be used to determine the sensitivity of data in your system, while Fine Grained Authorization (FGA), namely Attribute-Based Access Control (ABAC) can be used to enforce permissions in a highly granular and dynamic way.

This tutorial will teach you how to build and implement AI-based analysis of your application’s resources, classify them, and let an ABAC-based system handle the enforcement based on this analysis.

What You’ll Learn

Let’s try and take this concept from theory to implementation by building an AI-powered access control system. You’ll learn how to:

1. Use OpenAI to automatically classify resources based on sensitivity, department, and type.
2. Store those classifications in Permit.io and enforce ABAC-based permissions dynamically.
3. Automate access control without manual tagging or permission micromanagement.

By the end of this tutorial, you’ll have a fully functional system that classifies and protects sensitive resources in real-time, removing the need for constant human intervention in policy management.

Use Case Example

Imagine you're a finance manager in a mid-sized corporation. Your team generates budget proposals, quarterly revenue reports, and partnership contracts—each with different sensitivity levels and departmental ownership. These documents must be shared securely, yet manually assigning permissions every time is impractical.

With this AI-powered access control system, the workflow looks like this:

1. A team member uploads a budget proposal to the company’s internal document portal.

Q4 2024 Revenue Projections
Expected revenue: $2.5M
Key growth areas: Enterprise sales
Confidential - For financial team only

2. An AI model scans the document and classifies it as sensitivity=Confidential, department=Finance, type=Budget Report.

{
    "department": "Finance",
    "sensitivity": "Confidential",
    "docType": "Report"
}

3. These attributes are stored in Permit.io, and ABAC rules automatically determine who can access it based on the following policies:

• Finance users with Confidential clearance can access
• HR users are denied (wrong department)
• Users with Public clearance are denied (insufficient clearance)
• Everyone can access Public documents

4. Instead of manually setting permissions, the system grants or denies access dynamically based on AI-generated classifications.

Now, every time a document is added, permissions are automatically enforced without human intervention—eliminating manual tagging errors and, hopefully, reducing security risks.

By the end of this tutorial, you'll have a working system that:

• Automatically understands document content and context
• Enforces proper access control based on user and document attributes
• Handles complex scenarios like departmental access and clearance levels

Let’s dive into the implementation!

Before we start - Prerequisites

To follow this tutorial, you'll need:

• A Permit.io account
• An OpenAI API key
• A Configured local Policy Decision Point (PDP) with a valid API key.

Building ABAC Policies

Before we get into the code, let's set up our ABAC (Attribute-Based Access Control) structure in Permit.io. Our goal is to create a system where access decisions are made by matching user attributes with document attributes, thereby enabling fine-grained control over who can access what documents.

Step 1: Creating the Document Resource Type

Open the Permit.io Dashboard and navigate to the Resources section. Here's how to set up your document type:

1. Click Create Resource
2. Enter "Document" as the resource key
3. Add these key attributes:
   
   • department (string)
   • sensitivity (string)
   • docType (string)

These attributes will be automatically populated by our OpenAI classifier later.

Step 2: Configuring User Attributes

Next, we need to set up the attributes that determine what users can access. In the Directory section:

1. Navigate to user attributes configuration
2. Add two critical attributes:
   
   • department (string) - tracks which team they're on
   • clearance_level (string) - defines their security clearance

These attributes form the "security badge" that determines what each user can access.

Step 3: Setting Up ABAC Policies

3a: Creating User Sets

Navigate to User Sets in your Permit.io dashboard.

Define your first user set for Finance users with confidential access:

1. Click "Create User Set"
2. Name it "confidential_finance_users"
3. Set up filters:
   • department = "Finance"
   • clearance_level = "Confidential"

Repeat for HR users:

1. Create another set named "confidential_hr_users"
2. Configure filters:
   • department = "HR"
   • clearance_level = "Confidential"

3b: Creating Resource Sets

Move to the Resource Sets section, focusing on the Document resource type.

Set up your document groups:

1. Create "confidential_finance_docs"
   • department = "Finance"
   • sensitivity = "Confidential"
2. Create
   "public_documents"
   • sensitivity = "Public"

Step 3: Setting Up ABAC Policies

3a: Creating User Sets

Navigate to User Sets in your Permit.io dashboard.

Define your first user set for Finance users with confidential access:

1. Click "Create User Set"
2. Name it "confidential_finance_users"
3. Set up filters:
   • department = "Finance"
   • clearance_level = "Confidential"

Repeat for HR users:

1. Create another set named "confidential_hr_users"
2. Configure filters:
   • department = "HR"
   • clearance_level = "Confidential"

3b: Creating Resource Sets

Move to the Resource Sets section, focusing on the Document resource type.

Set up your document groups:

1. Create
   "confidential_finance_docs":
   • department = "Finance"
   • sensitivity = "Confidential"
2. Create
   "public_documents"
   • sensitivity = "Public"

Step 4: Enforcing Policies

Open the Policy Editor to connect your user sets with resource sets.

Link your sets with appropriate permissions:

1. Map confidential_finance_users to confidential_finance_docs
2. Set permissions (read, write, delete) for each connection
3. Create rules for public document access

This ABAC structure creates a dynamic system where access control automatically adapts to new users and documents based on their attributes.

Code Implementation

Now that we've configured our ABAC policies in Permit.io, let's write the code that makes everything work. Our implementation needs to:

1. Use OpenAI to analyze document content
2. Extract the right attributes (department, sensitivity, type)
3. Check permissions using our ABAC rules

Let's build each piece:

Document Classification

First, we'll create a classifier that uses OpenAI's gpt-4o-mini model to analyze document content. The key here is crafting a prompt that consistently extracts the attributes we need:

async function classifyDocument(docText) {
    const prompt = `
You are a classification model. Classify the following document text by:
1. Department: [Finance, HR, Marketing]
2. Sensitivity: [Public, Internal, Confidential]
3. Document Type: [Report, Policy, Contract]

Return ONLY raw JSON with these exact keys, no markdown formatting:
{
    "department": "",
    "sensitivity": "",
    "docType": ""
}

Document text:
${docText}`;

    const response = await openai.chat.completions.create({
        model: "gpt-4o-mini",
        messages: [
            {
                "role": "system",
                "content": "You are a document classifier. Respond with raw JSON only."
            },
            {
                "role": "user",
                "content": prompt
            }
        ],
        temperature: 0
    });

    return JSON.parse(response.choices[0].message.content.trim());
}

When we feed it a document like:

{
    "department": "Finance",
    "sensitivity": "Confidential",
    "docType": "Report"
}

Checking Access Permissions

With document attributes determined, we can check if a user has access using the ABAC system we’ve set up already:

async function checkDocumentAccess(userId, action, documentId) {
    try {
        console.log('\\n🔒 Checking Permission:');
        console.log(`👤 User: ${userId}`);
        console.log(`🎯 Action: ${action}`);
        console.log(`📄 Document: ${documentId}`);

        const permitted = await permit.check(
            userId,
            action,
            {
                type: "Document",
                key: documentId
            }
        );

        // Log the result
        if (permitted) {
            console.log('✅ Access Granted');
        } else {
            console.log('❌ Access Denied');
        }

        return permitted;
    } catch (err) {
        console.error("❌ Permission check failed:", err);
        throw err;
    }
}

A Finance user with Confidential clearance can access confidential finance documents but not HR documents. Everyone can access public documents. The system enforces these rules automatically based on the attributes we defined earlier.

Document Content:
Q4 2024 Revenue Projections
Expected revenue: $2.5M
Key growth areas: Enterprise sales
Confidential - For financial team only

Classification Result:
{
  department: 'Finance',
  sensitivity: 'Confidential',
  docType: 'Report'
}

Access Results:
✅ finance_admin: GRANTED (Correct: Finance dept + Confidential clearance)
❌ hr_editor: DENIED (Correct: Wrong department)
❌ hr_admin: DENIED (Correct: Wrong department)
❌ finance_viewer: DENIED (Correct: Insufficient clearance)

Testing and Results

Remember our finance manager's challenge? Let's see how our system handles real document scenarios they might encounter. We'll test with various documents and users to verify that both classification and access control work correctly.

Test Case 1: Confidential Finance Document

Consider this financial report:

Q4 2024 Revenue Projections
Expected revenue: $2.5M
Key growth areas: Enterprise sales
Confidential - For financial team only

Our system performs flawlessly:

Classification Result:
{
  department: 'Finance',
  sensitivity: 'Confidential',
  docType: 'Report'
}

Access Results:
✅ finance_admin: GRANTED (Finance dept + Confidential clearance)
❌ hr_editor: DENIED (Wrong department)
❌ finance_viewer: DENIED (Insufficient clearance)

Test Case 2: HR Policy Document

For an HR document:

Employee Benefits Policy 2024
Internal HR Guidelines
Confidential - HR Department Only

The system correctly manages access:

Classification Result:
{
  department: 'HR',
  sensitivity: 'Confidential',
  docType: 'Policy'
}

Access Results:
❌ finance_admin: DENIED (Wrong department)
✅ hr_editor: GRANTED (HR dept + Confidential clearance)
❌ finance_viewer: DENIED (Wrong department)

Test Case 3: Public Document

And for a public announcement:

Company Monthly Newsletter
March 2024 Updates
Public Announcement

The system grants appropriate access:

Classification Result:
{
  department: 'Marketing',
  sensitivity: 'Public',
  docType: 'Report'
}

Access Results:
✅ finance_admin: GRANTED (Public access)
✅ hr_editor: GRANTED (Public access)
✅ finance_viewer: GRANTED (Public access)

Our system successfully combines AI classification with ABAC to create an efficient document access control system. The full code is here on GitHub.

Conclusion

Managing access to sensitive information has traditionally required manual tagging or static role-based permissions, both of which are prone to human error, inefficiency, and security risks. In this guide, we introduced an AI-powered approach to access control, where Generative AI classifies documents, and ABAC dynamically enforces permissions—without human intervention.

By leveraging OpenAI to extract attributes such as department, sensitivity, and document type, and using Permit.io's ABAC framework to enforce fine-grained policies, we’ve built a system that is automated, scalable, and secure. This removes the burden of manual classification while ensuring that only the right people have access to the right documents—based on real-time AI-driven classifications.

With this approach, companies can improve compliance, reduce security risks, and streamline workflows, making AI-driven access control a practical reality.

Got questions? Join our Slack community, where hundreds of developers are building and implementing authorization into their applications.