diff --git a/auth/auth.go b/auth/auth.go
new file mode 100644
index 0000000..1787336
--- /dev/null
+++ b/auth/auth.go
@@ -0,0 +1,11 @@
+package auth
+
+import "gorm.io/gorm"
+
+type Authentication struct {
+	db *gorm.DB
+}
+
+func NewAuth(db *gorm.DB) *Authentication {
+	return &Authentication{db}
+}
diff --git a/auth/checks.go b/auth/checks.go
new file mode 100644
index 0000000..9d927a9
--- /dev/null
+++ b/auth/checks.go
@@ -0,0 +1,26 @@
+package auth
+
+import "git.mstar.dev/mstar/linstrom/storage"
+
+// Can actorId access the account with targetId?
+func (a *Authentication) CanAccessAccount(actorId *string, targetId string) bool { return true }
+
+// Can actorId edit the account with targetId?
+func (a *Authentication) CanEditAccount(actorId *string, targetIt *string) bool { return true }
+
+// Can actorId delete the account with targetId?
+func (a *Authentication) CanDeleteAccount(actorId *string, targetIt *string) bool { return true }
+
+// Can actorId create a new post at all?
+// Specific restrictions regarding the content are not checked
+func (a *Authentication) CanCreatePost(actorId string) bool { return true }
+
+// Ensures that a given post conforms with all roles attached to the author account.
+// Returns the conforming note (or nil of it can't be changed to conform)
+// and whether the note was changed
+func (a *Authentication) EnsureNoteConformsWithRoles(note *storage.Note) (*storage.Note, bool) {
+	return note, false
+}
+
+// Does the given note conform with the roles attached to the author account?
+func (a *Authentication) DoesNoteConform(note *storage.Note) bool { return true }