diff --git a/admin/app/AppLoader.scala b/admin/app/AppLoader.scala
index 3fc6d8d9f0e..d1735663d7c 100644
--- a/admin/app/AppLoader.scala
+++ b/admin/app/AppLoader.scala
@@ -5,7 +5,6 @@ import dfp._
 import common.dfp._
 import common._
 import conf.switches.SwitchboardLifecycle
-import conf.CachedHealthCheckLifeCycle
 import controllers.{AdminControllers, HealthCheck}
 import _root_.dfp.DfpDataCacheLifecycle
 import com.amazonaws.regions.Regions
@@ -106,6 +105,7 @@ trait AppComponents extends FrontendComponents with AdminControllers with AdminS
       // in [admin].
       "/interactive-librarian/",
     ),
+    requiredEditorialPermissionName = "admin_tool_access",
   )
 
   lazy val healthCheck = wire[HealthCheck]
diff --git a/build.sbt b/build.sbt
index de4980efb9e..59ba905a111 100644
--- a/build.sbt
+++ b/build.sbt
@@ -39,6 +39,7 @@ val common = library("common")
       jSoup,
       json4s,
       panDomainAuth,
+      editorialPermissions,
       quartzScheduler,
       redisClient,
       rome,
diff --git a/common/app/http/GuardianAuthWithExemptions.scala b/common/app/http/GuardianAuthWithExemptions.scala
index 99ce750ec88..d4d4909fde3 100644
--- a/common/app/http/GuardianAuthWithExemptions.scala
+++ b/common/app/http/GuardianAuthWithExemptions.scala
@@ -1,15 +1,18 @@
 package http
 
+import com.amazonaws.regions.Regions
 import com.amazonaws.services.s3.AmazonS3
 import com.gu.pandomainauth.action.AuthActions
 import com.gu.pandomainauth.model.AuthenticatedUser
 import com.gu.pandomainauth.{PanDomain, PanDomainAuthSettingsRefresher}
+import com.gu.permissions.{PermissionDefinition, PermissionsConfig, PermissionsProvider}
 import common.Environment.stage
+import conf.Configuration.aws.mandatoryCredentials
 import model.ApplicationContext
 import org.apache.pekko.stream.Materializer
 import play.api.Mode
 import play.api.libs.ws.WSClient
-import play.api.mvc.{BaseController, _}
+import play.api.mvc._
 
 import java.net.URL
 import scala.concurrent.Future
@@ -22,6 +25,7 @@ class GuardianAuthWithExemptions(
     s3Client: AmazonS3,
     system: String,
     extraDoNotAuthenticatePathPrefixes: Seq[String],
+    requiredEditorialPermissionName: String,
 )(implicit
     val mat: Materializer,
     context: ApplicationContext,
@@ -30,6 +34,19 @@ class GuardianAuthWithExemptions(
 
   private val outer = this
 
+  private val permissions: PermissionsProvider = PermissionsProvider(
+    PermissionsConfig(
+      stage = if (stage == "PROD") "PROD" else "CODE",
+      region = Regions.EU_WEST_1.getName,
+      awsCredentials = mandatoryCredentials,
+    ),
+  )
+
+  private val requiredPermission = PermissionDefinition(
+    name = requiredEditorialPermissionName,
+    app = "frontend",
+  )
+
   private def toolsDomainSuffix =
     stage match {
       case "PROD" => "gutools.co.uk"
@@ -81,9 +98,12 @@ class GuardianAuthWithExemptions(
       if (doNotAuthenticate(request)) {
         nextFilter(request)
       } else {
-        // TODO: in future PR add a permission check here based on user, likely via a function passed in to GuardianAuthWithExemptions
         AuthAction.authenticateRequest(request) { user =>
-          nextFilter(request)
+          if (permissions.hasPermission(requiredPermission, user.email)) {
+            nextFilter(request)
+          } else {
+            ??? //FIXME serve 4XX (with explanation)
+          }
         }
       }
     }
diff --git a/preview/app/AppLoader.scala b/preview/app/AppLoader.scala
index 459c2c35480..8fa6148801c 100644
--- a/preview/app/AppLoader.scala
+++ b/preview/app/AppLoader.scala
@@ -116,6 +116,7 @@ trait AppComponents
     s3Client,
     system = "preview",
     extraDoNotAuthenticatePathPrefixes = healthCheck.healthChecks.map(_.path),
+    requiredEditorialPermissionName = "preview_access",
   )
 
   override lazy val capiHttpClient: HttpClient = new CapiHttpClient(wsClient) {
diff --git a/project/Dependencies.scala b/project/Dependencies.scala
index c6b8231787c..4d287ba7de8 100644
--- a/project/Dependencies.scala
+++ b/project/Dependencies.scala
@@ -59,6 +59,7 @@ object Dependencies {
   val mockito = "org.mockito" % "mockito-all" % "1.10.19" % Test
   val paClient = "com.gu" %% "pa-client" % "7.0.7"
   val panDomainAuth = "com.gu" %% "pan-domain-auth-play_3-0" % "3.1.0"
+  val editorialPermissions = "com.gu" %% "editorial-permissions-client" % "2.15"
   val quartzScheduler = "org.quartz-scheduler" % "quartz" % "2.3.2"
   val redisClient = "net.debasishg" %% "redisclient" % "3.42"
   val rome = "rome" % "rome" % romeVersion