diff --git a/Permissions.md b/Permissions.md
new file mode 100644
index 0000000..285d7c7
--- /dev/null
+++ b/Permissions.md
@@ -0,0 +1,36 @@
+## Overview
+
+Seashell's permissions system is designed to control access to specific resources for Seashell users. Users are organized into groups, and each group can have rules to allow or deny access to specific resources. The default policy is to deny access unless explicitly allowed.
+
+## Configuration Structure
+
+The permissions configuration is represented as a map, where each key is the name of a group, and the value is another map containing `allow` and `deny` lists.
+
+### Example
+
+This example is a permission configuration for a `docker` route. In this case, members of `group1` have access to containers 1 and 2, but not 3. Any other container that isn't explicitly allowed will be denied, so `container4` would be denied even though it's not in the deny list.
+
+```hcl
+permissions = {
+  group1 = {
+    allow = ["container1", "container2"]
+    deny = ["container3"]
+  }
+}
+```
+
+### Wildcards
+
+The permissions system supports wildcards in allow/deny lists. For example, if you wanted to allow admins access to all containers, and allow `group1` to access everything that doesn't start with `admin`, you could do something like this:
+
+```hcl
+permissions = {
+  admins = {
+    allow = ["*"]
+  }
+  group1 = {
+    allow = ["*"]
+    deny = ["admin*"]
+  }
+}
+```
\ No newline at end of file