diff --git a/permissions_engine/authz.rego b/permissions_engine/authz.rego
index 0ae0dd7..2e8d148 100644
--- a/permissions_engine/authz.rego
+++ b/permissions_engine/authz.rego
@@ -69,3 +69,24 @@ allow {
     input.path == ["v1", "data", "service", "service-info"]
     input.method == "GET"
 }
+
+# Site admin should be able to see anything
+allow {
+    data.permissions.site_admin == true
+}
+
+# As long as the user is authorized, should be able to get their own datasets
+allow {
+    input.path == ["v1", "data", "permissions", "datasets"]
+    input.method == "POST"
+    data.permissions.valid_token == true
+    input.body.input.token == input.identity
+}
+
+# As long as the user is authorized, should be able to see if they're allowed to view something
+allow {
+    input.path == ["v1", "data", "permissions", "allowed"]
+    input.method == "POST"
+    data.permissions.valid_token == true
+    input.body.input.token == input.identity
+}
diff --git a/permissions_engine/idp.rego b/permissions_engine/idp.rego
index c82ecd2..dddc374 100644
--- a/permissions_engine/idp.rego
+++ b/permissions_engine/idp.rego
@@ -8,13 +8,15 @@ package idp
 import data.vault.keys as keys
 import future.keywords.in
 
-decode_verify_token_output[issuer] := output {
-    some i
-    issuer := keys[i].iss
-    cert := keys[i].cert
-    aud := keys[i].aud[_]
+#
+# Function to decode and verify if a token is valid against a key
+#
+decode_verify_token(key, token) := output {
+    issuer := key.iss
+    cert := key.cert
+    aud := key.aud[_]
     output := io.jwt.decode_verify(     # Decode and verify in one-step
-        input.token,
+        token,
         {                         # With the supplied constraints:
             "cert": cert,
             "iss": issuer,
@@ -23,6 +25,24 @@ decode_verify_token_output[issuer] := output {
     )
 }
 
+#
+# If either input.identity or input.token are valid against an issuer, decode and verify
+#
+decode_verify_token_output[issuer] := output {
+    possible_tokens := ["identity", "token"]
+    some i
+    issuer := keys[i].iss
+    output := decode_verify_token(keys[i], input[possible_tokens[_]])
+}
+
+#
+# The issuer of this token
+#
+token_issuer := i {
+    some i in object.keys(decode_verify_token_output)
+    decode_verify_token_output[i][0] == true
+}
+
 #
 # Check if token is valid by checking whether decoded_verify output exists or not
 #
@@ -30,7 +50,10 @@ valid_token = true {
     decode_verify_token_output[_][0]
 }
 
-user_key := decode_verify_token_output[_][2].CANDIG_USER_KEY        # get user key from the token payload
+#
+# The user's key, as determined by this candig instance
+#
+user_key := decode_verify_token_output[token_issuer][2].CANDIG_USER_KEY
 
 #
 # Check trusted_researcher in the token payload
@@ -40,8 +63,8 @@ trusted_researcher = true {
 }
 
 #
-# If the issuer in the token is the same as the first listed in keys, this is issued by the local issuer
+# If the token_issuer is the same as the first listed in keys, this is a local token
 #
 is_local_token = true {
-    keys[i].iss in object.keys(decode_verify_token_output)
+    keys[0].iss == token_issuer
 }