diff --git a/app/conf/Configuration.scala b/app/conf/Configuration.scala
index 0fa4888..1d3eb65 100644
--- a/app/conf/Configuration.scala
+++ b/app/conf/Configuration.scala
@@ -10,6 +10,7 @@ import com.amazonaws.regions.{Region, Regions}
 import com.amazonaws.services.cloudwatch.AmazonCloudWatch
 import com.amazonaws.services.dynamodbv2.AmazonDynamoDB
 import com.amazonaws.services.s3.{AmazonS3, AmazonS3ClientBuilder}
+import com.gu.permissions.PermissionsConfig
 import org.apache.commons.io.IOUtils
 import play.api.Mode
 import play.api.{Configuration => PlayConfiguration}
@@ -170,6 +171,12 @@ class ApplicationConfiguration(val playConfiguration: PlayConfiguration, val env
   object latest {
     lazy val pageSize = 20
   }
+
+  val permissions = PermissionsConfig(
+    stage = environment.stage,
+    region = aws.region,
+    awsCredentials = aws.mandatoryCredentials,
+  )
 }
 
 object Properties extends AutomaticResourceManagement {
diff --git a/app/story_packages/auth/PanDomainAuthActions.scala b/app/story_packages/auth/PanDomainAuthActions.scala
index 018ade8..dc743f1 100644
--- a/app/story_packages/auth/PanDomainAuthActions.scala
+++ b/app/story_packages/auth/PanDomainAuthActions.scala
@@ -3,6 +3,7 @@ package story_packages.auth
 import com.gu.pandomainauth.action.AuthActions
 import com.gu.pandomainauth.model.AuthenticatedUser
 import com.gu.pandomainauth.PanDomain
+import com.gu.permissions.{PermissionDefinition, PermissionsProvider}
 import play.api.mvc._
 import conf.ApplicationConfiguration
 import story_packages.services.Logging
@@ -10,7 +11,14 @@ import story_packages.services.Logging
 trait PanDomainAuthActions extends AuthActions with Results with Logging {
   def config: ApplicationConfiguration
 
+  val permissions = PermissionsProvider(config.permissions)
+
+  val StoryPackagesAccess = PermissionDefinition("story-packages-access", "story-packages")
+
   override def validateUser(authedUser: AuthenticatedUser): Boolean = {
+    if (!permissions.hasPermission(StoryPackagesAccess, authedUser.user.email)) {
+      Logger.warn(s"User ${authedUser.user.email} does not have ${StoryPackagesAccess.name} permission")
+    }
     PanDomain.guardianValidation(authedUser)
   }
 
diff --git a/build.sbt b/build.sbt
index 4ec6e12..8436071 100644
--- a/build.sbt
+++ b/build.sbt
@@ -74,6 +74,7 @@ libraryDependencies ++= jacksonOverrides ++  Seq(
     "com.gu" %% "content-api-client-aws" % "0.7",
     "com.gu" %% "fapi-client-play28" % "4.0.4",
     "com.gu" %% "pan-domain-auth-play_2-8" % "4.0.0",
+    "com.gu" %% "editorial-permissions-client" % "2.15",
     "com.gu" %% "story-packages-model" % "2.2.0",
     "com.gu" %% "thrift-serializer" % "4.0.2",
     "org.json4s" %% "json4s-native" % json4sVersion,