diff --git a/src/config/constants.js b/src/config/constants.js
index 0c15e10..13fdf47 100644
--- a/src/config/constants.js
+++ b/src/config/constants.js
@@ -12,6 +12,8 @@ const UserActions = [
   "Receive",
 ];
 
+const InventoryScopes = ["Inventory", "Material", "Item"];
+
 const WarehouseScopes = [
   "Warehouse",
   "Zone",
@@ -40,6 +42,7 @@ const CustomAttributeTypes = [
 
 module.exports = {
   UserActions,
+  InventoryScopes,
   WarehouseScopes,
   InventoryTypes,
   CustomAttributeTypes,
diff --git a/src/controller/index.js b/src/controller/index.js
index bdacacf..a63cecb 100644
--- a/src/controller/index.js
+++ b/src/controller/index.js
@@ -1,10 +1,19 @@
 const router = require("express").Router();
 const userRouter = require("./user.router");
+const userRoleRouter = require("./userRole.router");
+const userPermissionRouter = require("./userPermission.router");
 
 router.use("/user", userRouter);
+router.use("/user-role", userRoleRouter);
+router.use("/user-permission", userPermissionRouter);
 
 router.get("/", (req, res) => {
-  res.send("Hello world");
+  res.send({ success: true, message: "Hello world" });
+});
+
+router.use(function (err, req, res, next) {
+  console.error(err.stack);
+  res.status(500).send({ error: `Error: ${err.message}` });
 });
 
 module.exports = { router };
diff --git a/src/controller/user.controller.js b/src/controller/user.controller.js
index c4f2791..2de0b76 100644
--- a/src/controller/user.controller.js
+++ b/src/controller/user.controller.js
@@ -6,7 +6,7 @@ const {
   JWT_SECRET,
   JWT_REFRESH_EXPIRY_TIME,
   JWT_ACCESS_EXPIRY_TIME,
-} = require("../../config/env");
+} = require("./../config/env");
 
 const createAccessToken = (id) => {
   return jwt.sign({ id }, JWT_SECRET, {
diff --git a/src/controller/userPermission.controller.js b/src/controller/userPermission.controller.js
index 266acca..bff698c 100644
--- a/src/controller/userPermission.controller.js
+++ b/src/controller/userPermission.controller.js
@@ -1,7 +1,96 @@
-module.exports = {
-  getAllPermissions: async (req, res, next) => {},
-  getPermission: async (req, res, next) => {},
-  createPermission: async (req, res, next) => {},
-  updatePermission: async (req, res, next) => {},
-  deletePermission: async (req, res, next) => {},
+const mongoose = require("mongoose");
+
+const UserPermission = require("./../models/UserPermission");
+const { InventoryScopes, WarehouseScopes } = require("./../config/constants");
+
+const getScopes = async (scopes, searchSet) => {
+  const verifiedScopes = [];
+  if (scopes !== undefined && Array.isArray(scopes)) {
+    for (const scope of scopes) {
+      if (mongoose.isValidObjectId(scope.id)) {
+        if (scope.type !== undefined && searchSet.contains(scope.type)) {
+          const model = require(`../models/${scope.type}`);
+          const inventoryObject = await model.findById(scope.id);
+          if (inventoryObject == undefined) {
+            continue;
+          }
+          verifiedScopes.push({
+            id: inventoryObject._id,
+            type: scope.type,
+          });
+        }
+      } else {
+        throw new Error(`invalid data format for object-id - ${scope.id}`);
+      }
+    }
+  }
+  return verifiedScopes;
+};
+
+module.exports = {
+  getAllPermissions: async (req, res, next) => {
+    let { page, perPage } = req.query;
+    page = page || 0;
+    perPage = perPage || 10;
+
+    const result = await UserPermission.find(
+      {},
+      { id: 1, name: 1, inventoryScopes: 1, warehouseScopes: 1, actions: 1 },
+      { skip: page * perPage, limit: perPage }
+    );
+    res.send({ success: true, data: result });
+  },
+  getPermission: async (req, res, next) => {
+    try {
+      const { id } = req.params;
+      if (mongoose.isValidObjectId(id)) {
+        const permission = await UserPermission.findById(id);
+        res.send({ success: true, data: permission });
+      } else {
+        throw new Error(`invalid data format for object-id - ${id}`);
+      }
+    } catch (e) {
+      next(e);
+    }
+  },
+  createPermission: async (req, res, next) => {
+    try {
+      const { name, inventoryScopes, warehouseScopes, actions } = req.body;
+      const verifiedInventoryScopes = await getScopes(
+        inventoryScopes,
+        InventoryScopes
+      );
+      const verifiedWarehouseScopes = await getScopes(
+        warehouseScopes,
+        WarehouseScopes
+      );
+
+      const newUserPermission = await UserPermission.create({
+        name,
+        inventoryScopes: verifiedInventoryScopes,
+        warehouseScopes: verifiedWarehouseScopes,
+        actions: actions == undefined ? [] : actions,
+      });
+      res.send({ success: true, data: newUserPermission });
+    } catch (e) {
+      next(e);
+    }
+  },
+  updatePermission: async (req, res, next) => {
+    // Need more clarity
+    res.send({ success: false, error: "not implemented" });
+  },
+  deletePermission: async (req, res, next) => {
+    try {
+      const { id } = req.params;
+      if (mongoose.isValidObjectId(id)) {
+        const result = await UserPermission.deleteOne({ _id: id });
+        res.send({ success: true, data: result });
+      } else {
+        throw new Error(`invalid data format for object-id - ${id}`);
+      }
+    } catch (e) {
+      next(e);
+    }
+  },
 };
diff --git a/src/controller/userPermission.router.js b/src/controller/userPermission.router.js
index f450661..ca5d777 100644
--- a/src/controller/userPermission.router.js
+++ b/src/controller/userPermission.router.js
@@ -4,7 +4,7 @@ const controller = require("./userPermission.controller");
 router.get("/all", controller.getAllPermissions);
 router.get("/:id", controller.getPermission);
 router.post("/create", controller.createPermission);
-router.patch("/:id", controller.updatePermission);
+router.post("/:id", controller.updatePermission);
 router.delete("/:id", controller.deletePermission);
 
 module.exports = router;
diff --git a/src/models/UserPermission.js b/src/models/UserPermission.js
index 30f5fb0..be2cf93 100644
--- a/src/models/UserPermission.js
+++ b/src/models/UserPermission.js
@@ -1,33 +1,49 @@
 const mongoose = require("mongoose");
-const { UserActions, WarehouseScopes } = require("./../config/constants");
+const {
+  UserActions,
+  WarehouseScopes,
+  InventoryScopes,
+} = require("./../config/constants");
 
 const schema = new mongoose.Schema(
   {
     name: {
       type: String,
       required: true,
+      unique: true,
       trim: true,
     },
-    inventory: {
-      type: mongoose.Schema.Types.ObjectId,
-      ref: "Inventory",
-    },
-    warehouseScope: {
-      on: {
-        type: mongoose.Schema.Types.ObjectId,
-        refPath: "onModel",
+    inventoryScopes: [
+      {
+        id: {
+          type: mongoose.Schema.Types.ObjectId,
+          refPath: "type",
+        },
+        type: {
+          type: String,
+          enum: InventoryScopes,
+        },
       },
-      onModel: {
+    ],
+    warehouseScopes: [
+      {
+        id: {
+          type: mongoose.Schema.Types.ObjectId,
+          refPath: "type",
+        },
+        type: {
+          type: String,
+          enum: WarehouseScopes,
+        },
+      },
+    ],
+    actions: [
+      {
         type: String,
         required: true,
-        enum: WarehouseScopes,
+        enum: UserActions,
       },
-    },
-    actions: {
-      type: String,
-      required: true,
-      enum: UserActions,
-    },
+    ],
   },
   {
     timestamps: true,