diff --git a/tests/test_permissions.py b/tests/test_permissions.py
new file mode 100644
index 0000000000000000000000000000000000000000..e8c9e256615a39f1cbbd76f163cb27281578a006
--- /dev/null
+++ b/tests/test_permissions.py
@@ -0,0 +1,20 @@
+from invenio_config_tuw.permissions.policies import TUWRecordPermissionPolicy
+from invenio_access.permissions import system_identity as system
+
+
+def can(identity, action, **kwargs):
+    """Check if the identity has permission to perform the action."""
+    return TUWRecordPermissionPolicy(action, **kwargs).allows(identity)
+
+
+def test_reading_deleted():
+    assert can(system, "read_deleted")
+    # TODO any user, authenticated, trusted-user, ...
+
+
+def test_record_creation():
+    assert can(system, "create")
+    # TODO more
+
+
+# TODO more interesting cases: who can read drafts, etc.