diff --git a/src/components/ActionsMenu/index.jsx b/src/components/ActionsMenu/index.jsx
index 5100d570..b888ade0 100644
--- a/src/components/ActionsMenu/index.jsx
+++ b/src/components/ActionsMenu/index.jsx
@@ -4,6 +4,7 @@
  * Shows dropdown menu with actions.
  */
 import React, { useState, useCallback } from "react";
+import _ from "lodash";
 import PT from "prop-types";
 import "./styles.module.scss";
 import OutsideClickHandler from "react-outside-click-handler";
@@ -89,7 +90,7 @@ const ActionsMenu = ({ options = [] }) => {
           {...attributes.popper}
         >
           <div styleName="list">
-            {options.map((option, index) => {
+            {_.reject(options, "hidden").map((option, index) => {
               if (option.separator) {
                 return <div key={index} styleName="separator" />;
               } else {
@@ -124,6 +125,7 @@ ActionsMenu.propTypes = {
       label: PT.string,
       action: PT.func,
       separator: PT.bool,
+      hidden: PT.bool,
     })
   ),
 };
diff --git a/src/components/FormField/index.jsx b/src/components/FormField/index.jsx
index 2af5c131..677246ce 100644
--- a/src/components/FormField/index.jsx
+++ b/src/components/FormField/index.jsx
@@ -87,6 +87,7 @@ const FormField = ({ field }) => {
               onChange={input.onChange}
               onBlur={input.onBlur}
               onFocus={input.onFocus}
+              disabled={field.disabled}
             />
           )}
           {(field.isRequired || field.customValidator) &&
diff --git a/src/components/ReactSelect/index.jsx b/src/components/ReactSelect/index.jsx
index cb6c3bec..567b70b2 100644
--- a/src/components/ReactSelect/index.jsx
+++ b/src/components/ReactSelect/index.jsx
@@ -84,6 +84,7 @@ const ReactSelect = (props) => {
           onInputChange={props.onInputChange}
           noOptionsMessage={() => props.noOptionsText}
           createOptionPosition="first"
+          isDisabled={props.disabled}
         />
       ) : (
         <Select
@@ -98,6 +99,7 @@ const ReactSelect = (props) => {
           placeholder={props.placeholder}
           onInputChange={props.onInputChange}
           noOptionsMessage={() => props.noOptionsText}
+          isDisabled={props.disabled}
         />
       )}
     </div>
@@ -121,6 +123,7 @@ ReactSelect.propTypes = {
   ),
   isCreatable: PT.bool,
   noOptionsText: PT.string,
+  disabled: PT.bool,
 };
 
 export default ReactSelect;
diff --git a/src/components/TCForm/index.jsx b/src/components/TCForm/index.jsx
index e66614d8..b4fea163 100644
--- a/src/components/TCForm/index.jsx
+++ b/src/components/TCForm/index.jsx
@@ -4,6 +4,7 @@
  * Shows form, field and actions.
  */
 import React, { useState, useEffect } from "react";
+import _ from "lodash";
 import PT from "prop-types";
 import { FORM_ROW_TYPE, FORM_FIELD_TYPE } from "../../constants";
 import { Form } from "react-final-form";
@@ -56,17 +57,24 @@ const TCForm = ({
                     <>
                       {row.type === FORM_ROW_TYPE.GROUP && (
                         <div styleName="field-group">
-                          {row.fields.map((field) => (
-                            <div styleName="field-group-field" key={field.name}>
-                              <FormField field={fields[field]} />
-                            </div>
-                          ))}
+                          {row.fields.map((field) =>
+                            !fields[field].hidden ? (
+                              <div
+                                styleName="field-group-field"
+                                key={field.name}
+                              >
+                                <FormField field={fields[field]} />
+                              </div>
+                            ) : null
+                          )}
                         </div>
                       )}
                       {row.type === FORM_ROW_TYPE.SINGLE &&
-                        row.fields.map((field) => {
-                          return <FormField field={fields[field]} />;
-                        })}
+                        row.fields.map((field) =>
+                          !fields[field].hidden ? (
+                            <FormField field={fields[field]} />
+                          ) : null
+                        )}
                     </>
                   );
                 })}
diff --git a/src/constants/permissions.js b/src/constants/permissions.js
new file mode 100644
index 00000000..776c22f1
--- /dev/null
+++ b/src/constants/permissions.js
@@ -0,0 +1,101 @@
+/**
+ * User permission policies.
+ * Can be used with `hasPermission` method.
+ *
+ * PERMISSION GUIDELINES
+ *
+ * All the permission name and meaning should define **WHAT** can be done having such permission
+ * but not **WHO** can do it.
+ *
+ * Examples of CORRECT permission naming and meaning:
+ *    - `VIEW_PROJECT`
+ *    - `EDIT_MILESTONE`
+ *    - `DELETE_WORK`
+ *
+ * Examples of INCORRECT permissions naming and meaning:
+ *    - `COPILOT_AND_MANAGER`
+ *    - `PROJECT_MEMBERS`
+ *    - `ADMINS`
+ *
+ * The same time **internally only** in this file, constants like `COPILOT_AND_ABOVE`,
+ * `PROJECT_MEMBERS`, `ADMINS` could be used to define permissions.
+ *
+ * NAMING GUIDELINES
+ *
+ * There are unified prefixes to indicate what kind of permissions.
+ * If no prefix is suitable, please, feel free to use a new prefix.
+ *
+ * CREATE_ - create somethings
+ * READ_   - read something
+ * UPDATE_ - update something
+ * DELETE_ - delete something
+ *
+ * MANAGE_ - means combination of 3 operations CREATE/UPDATE/DELETE.
+ *           usually should be used, when READ operation is allowed to everyone
+ *           while 3 manage operations require additional permissions
+ * ACCESS_ - means combination of all 4 operations READ/CREATE/UPDATE/DELETE.
+ *           usually should be used, when by default users cannot even READ something
+ *           and if someone can READ, then also can do other kind of operations.
+ *
+ * ANTI-PERMISSIONS
+ *
+ * If it's technically impossible to create permission rules for some situation in "allowed" manner,
+ * in such case we can create permission rules, which would disallow somethings.
+ * - Create such rules ONLY IF CREATING ALLOW RULE IS IMPOSSIBLE.
+ * - Add a comment to such rules explaining why allow-rule cannot be created.
+ */
+/* eslint-disable no-unused-vars */
+import _ from "lodash";
+
+/**
+ * Topcoder User roles
+ *
+ * Here we list only the part of the roles which might be used in the TaaS App
+ */
+export const TOPCODER_ROLE = {
+  BOOKING_MANAGER: "bookingmanager",
+  CONNECT_MANAGER: "Connect Manager",
+  ADMINISTRATOR: "administrator",
+  TOPCODER_USER: "Topcoder User",
+};
+
+/**
+ * Project Member roles
+ *
+ * NOTE: Team in the TaaS app is same as Project in Connect App or Projects Serivce API
+ *
+ * Here we list only the part of the project member roles which are used in TaaS App
+ */
+export const PROJECT_ROLE = {
+  CUSTOMER: "customer",
+};
+
+/*
+ * The next sets of roles are exported for outside usage with `hasPermission` method.
+ */
+
+export const PERMISSIONS = {
+  EDIT_RESOURCE_BOOKING: {
+    meta: {
+      group: "Resource Booking",
+      title: "Edit Resource Booking",
+    },
+    topcoderRoles: [TOPCODER_ROLE.BOOKING_MANAGER, TOPCODER_ROLE.ADMINISTRATOR],
+  },
+
+  ACCESS_RESOURCE_BOOKING_MEMBER_RATE: {
+    meta: {
+      group: "Resource Booking",
+      title: "Access Member Rate (view and edit)",
+    },
+    topcoderRoles: [TOPCODER_ROLE.BOOKING_MANAGER, TOPCODER_ROLE.ADMINISTRATOR],
+  },
+
+  EDIT_JOB_STATUS: {
+    meta: {
+      group: "Job",
+      title: 'Edit Job "status"',
+    },
+    topcoderRoles: [TOPCODER_ROLE.BOOKING_MANAGER, TOPCODER_ROLE.ADMINISTRATOR],
+  },
+};
diff --git a/src/hoc/withAuthentication/actions/index.js b/src/hoc/withAuthentication/actions/index.js
new file mode 100644
index 00000000..3f1450a4
--- /dev/null
+++ b/src/hoc/withAuthentication/actions/index.js
@@ -0,0 +1,26 @@
+/**
+ * Auth User actions
+ */
+
+export const ACTION_TYPE = {
+  AUTH_USER_SUCCESS: "AUTH_USER_SUCCESS",
+  AUTH_USER_ERROR: "AUTH_USER_ERROR",
+};
+
+/**
+ * Action to set auth user data
+ *
+ * @param {object} tokenData user data from token
+ */
+export const authUserSuccess = (tokenData) => ({
+  type: ACTION_TYPE.AUTH_USER_SUCCESS,
+  payload: tokenData,
+});
+
+/**
+ * Action to set auth user error
+ */
+export const authUserError = (error) => ({
+  type: ACTION_TYPE.AUTH_USER_ERROR,
+  payload: error,
+});
diff --git a/src/hoc/withAuthentication.js b/src/hoc/withAuthentication/index.js
similarity index 63%
rename from src/hoc/withAuthentication.js
rename to src/hoc/withAuthentication/index.js
index 785dcdcb..e32696a5 100644
--- a/src/hoc/withAuthentication.js
+++ b/src/hoc/withAuthentication/index.js
@@ -4,13 +4,17 @@
  * wrap component for authentication
  */
 import React, { useState, useEffect } from "react";
+import _ from "lodash";
 import { getAuthUserTokens, login } from "@topcoder/micro-frontends-navbar-app";
-import LoadingIndicator from "../components/LoadingIndicator";
+import LoadingIndicator from "../../components/LoadingIndicator";
+import { authUserSuccess, authUserError } from "./actions";
+import { decodeToken } from "utils/helpers";
+import { useDispatch, useSelector } from "react-redux";
 
 export default function withAuthentication(Component) {
   const AuthenticatedComponent = (props) => {
-    let [isLoggedIn, setIsLoggedIn] = useState(null);
-    let [authError, setAuthError] = useState(false);
+    const dispatch = useDispatch();
+    const { isLoggedIn, authError } = useSelector((state) => state.authUser);
 
     useEffect(() => {
       // prevent page redirecting to login page when unmount
@@ -18,16 +22,20 @@ export default function withAuthentication(Component) {
       getAuthUserTokens()
         .then(({ tokenV3 }) => {
           if (!!tokenV3) {
-            setIsLoggedIn(!!tokenV3);
+            const tokenData = decodeToken(tokenV3);
+            dispatch(
+              authUserSuccess(_.pick(tokenData, ["userId", "handle", "roles"]))
+            );
           } else if (!isUnmount) {
             login();
           }
         })
-        .catch(setAuthError);
+        .catch((error) => dispatch(authUserError(error)));
+
       return () => {
         isUnmount = true;
       };
-    }, []);
+    }, [dispatch]);
 
     return (
       <>
diff --git a/src/hoc/withAuthentication/reducers/index.js b/src/hoc/withAuthentication/reducers/index.js
new file mode 100644
index 00000000..a67daa43
--- /dev/null
+++ b/src/hoc/withAuthentication/reducers/index.js
@@ -0,0 +1,35 @@
+/**
+ * Reducer for `authUser`
+ */
+
+import { ACTION_TYPE } from "../actions";
+
+const initialState = {
+  isLoggedIn: null,
+  userId: null,
+  handle: null,
+  roles: [],
+  authError: null,
+};
+
+const reducer = (state = initialState, action) => {
+  switch (action.type) {
+    case ACTION_TYPE.AUTH_USER_SUCCESS:
+      return {
+        ...initialState,
+        ...action.payload,
+        isLoggedIn: true,
+      };
+
+    case ACTION_TYPE.AUTH_USER_ERROR:
+      return {
+        ...initialState,
+        authError: action.payload,
+      };
+
+    default:
+      return state;
+  }
+};
+
+export default reducer;
diff --git a/src/reducers/index.js b/src/reducers/index.js
index 70d2ffa8..eedfe333 100644
--- a/src/reducers/index.js
+++ b/src/reducers/index.js
@@ -6,12 +6,14 @@ import { reducer as toastrReducer } from "react-redux-toastr";
 import positionDetailsReducer from "../routes/PositionDetails/reducers";
 import teamMembersReducer from "../routes/TeamAccess/reducers";
 import reportPopupReducer from "../components/ReportPopup/reducers";
+import authUserReducer from "../hoc/withAuthentication/reducers";
 
 const rootReducer = combineReducers({
   toastr: toastrReducer,
   positionDetails: positionDetailsReducer,
   teamMembers: teamMembersReducer,
   reportPopup: reportPopupReducer,
+  authUser: authUserReducer,
 });
 
 export default rootReducer;
diff --git a/src/routes/JobForm/utils.js b/src/routes/JobForm/utils.js
index b3589696..556565c1 100644
--- a/src/routes/JobForm/utils.js
+++ b/src/routes/JobForm/utils.js
@@ -1,6 +1,8 @@
 /**
  * JobForm utilities
  */
+import { PERMISSIONS } from "constants/permissions";
+import { hasPermission } from "utils/permissions";
 import {
   RATE_TYPE_OPTIONS,
   STATUS_OPTIONS,
@@ -101,6 +103,7 @@ export const getEditJobConfig = (skillOptions, onSubmit) => {
         validationMessage: "Please, select Status",
         name: "status",
         selectOptions: STATUS_OPTIONS,
+        disabled: !hasPermission(PERMISSIONS.EDIT_JOB_STATUS),
       },
     ],
     onSubmit: onSubmit,
diff --git a/src/routes/MyTeamsDetails/components/TeamMembers/index.jsx b/src/routes/MyTeamsDetails/components/TeamMembers/index.jsx
index 037d0c88..71da63c2 100644
--- a/src/routes/MyTeamsDetails/components/TeamMembers/index.jsx
+++ b/src/routes/MyTeamsDetails/components/TeamMembers/index.jsx
@@ -24,6 +24,8 @@ import {
 import Input from "components/Input";
 import { skillShape } from "components/SkillsList";
 import { useReportPopup } from "components/ReportPopup/hooks/useReportPopup";
+import { hasPermission } from "utils/permissions";
+import { PERMISSIONS } from "constants/permissions";
 
 const TeamMembers = ({ team }) => {
   const { resources, jobs } = team;
@@ -156,9 +158,11 @@ const TeamMembers = ({ team }) => {
                               `/taas/myteams/${team.id}/rb/${member.id}/edit`
                             );
                           },
+                          hidden: !hasPermission(PERMISSIONS.EDIT_RESOURCE_BOOKING),
                         },
                         {
                           separator: true,
+                          hidden: !hasPermission(PERMISSIONS.EDIT_RESOURCE_BOOKING),
                         },
                         {
                           label: "Report an Issue",
diff --git a/src/routes/ResourceBookingDetails/ResourceDetails/index.jsx b/src/routes/ResourceBookingDetails/ResourceDetails/index.jsx
index f0fc836b..c5e16031 100644
--- a/src/routes/ResourceBookingDetails/ResourceDetails/index.jsx
+++ b/src/routes/ResourceBookingDetails/ResourceDetails/index.jsx
@@ -11,6 +11,8 @@ import IconMoney from "../../../assets/images/icon-money.svg";
 import IconComputer from "../../../assets/images/icon-computer.svg";
 import IconBag from "../../../assets/images/icon-bag.svg";
 import "./styles.module.scss";
+import { PERMISSIONS } from "constants/permissions";
+import { hasPermission } from "utils/permissions";
 
 const ResourceDetails = ({ resource, jobTitle }) => {
   return (
@@ -55,11 +57,13 @@ const ResourceDetails = ({ resource, jobTitle }) => {
             />
           </div>
           <div styleName="table-cell">
-            <DataItem
-              icon={<IconMoney />}
-              title="Member Rate"
-              children={formatMoney(resource.memberRate)}
-            />
+            {hasPermission(PERMISSIONS.ACCESS_RESOURCE_BOOKING_MEMBER_RATE) && (
+              <DataItem
+                icon={<IconMoney />}
+                title="Member Rate"
+                children={formatMoney(resource.memberRate)}
+              />
+            )}
           </div>
         </div>
       </div>
diff --git a/src/routes/ResourceBookingDetails/index.jsx b/src/routes/ResourceBookingDetails/index.jsx
index b2bc7828..3dfd30f3 100644
--- a/src/routes/ResourceBookingDetails/index.jsx
+++ b/src/routes/ResourceBookingDetails/index.jsx
@@ -4,7 +4,7 @@
  * Page for resource booking details.
  * It gets `teamId` and `resourceBookingId` from the router.
  */
-import React, { useMemo, useState, useEffect } from "react";
+import React, { useState, useEffect } from "react";
 import PT from "prop-types";
 import _ from "lodash";
 import Page from "../../components/Page";
@@ -18,6 +18,8 @@ import Button from "../../components/Button";
 import ResourceSummary from "./ResourceSummary";
 import ResourceDetails from "./ResourceDetails";
 import "./styles.module.scss";
+import { hasPermission } from "utils/permissions";
+import { PERMISSIONS } from "constants/permissions";
 
 const ResourceBookingDetails = ({ teamId, resourceBookingId }) => {
   const [resource, loadingError] = useData(
@@ -61,14 +63,16 @@ const ResourceBookingDetails = ({ teamId, resourceBookingId }) => {
           <div styleName="content-wrapper">
             <ResourceSummary member={member} />
             <ResourceDetails resource={resource} jobTitle={jobTitle} />
-            <div styleName="actions">
-              <Button
-                size="medium"
-                routeTo={`/taas/myteams/${teamId}/rb/${resource.id}/edit`}
-              >
-                Edit Member Details
-              </Button>
-            </div>
+            {hasPermission(PERMISSIONS.EDIT_RESOURCE_BOOKING) && (
+              <div styleName="actions">
+                <Button
+                  size="medium"
+                  routeTo={`/taas/myteams/${teamId}/rb/${resource.id}/edit`}
+                >
+                  Edit Member Details
+                </Button>
+              </div>
+            )}
           </div>
         </>
       )}
diff --git a/src/routes/ResourceBookingForm/utils.js b/src/routes/ResourceBookingForm/utils.js
index a373df11..ef1eb210 100644
--- a/src/routes/ResourceBookingForm/utils.js
+++ b/src/routes/ResourceBookingForm/utils.js
@@ -10,6 +10,8 @@ import {
   FORM_ROW_TYPE,
   FORM_FIELD_TYPE,
 } from "../../constants";
+import { hasPermission } from "utils/permissions";
+import { PERMISSIONS } from "constants/permissions";
 
 const EDIT_RESOURCE_BOOKING_ROWS = [
   { type: FORM_ROW_TYPE.SINGLE, fields: ["handle"] },
@@ -43,6 +45,7 @@ export const getEditResourceBookingConfig = (onSubmit) => {
         minValue: 0,
         placeholder: "Member Rate",
         step: 0.01,
+        hidden: !hasPermission(PERMISSIONS.ACCESS_RESOURCE_BOOKING_MEMBER_RATE),
       },
       {
         label: "Start Date",
diff --git a/src/utils/helpers.js b/src/utils/helpers.js
index 6a839add..afbf1a79 100644
--- a/src/utils/helpers.js
+++ b/src/utils/helpers.js
@@ -4,6 +4,7 @@
  * This file should contain helper methods which cannot be grouped into a separate file like we did for "format.js".
  * If there are multiple methods which could be grouped into a separate file by their meaning they should be extracted from here to not make this file too big.
  */
+import _ from "lodash";
 
 /**
  * Delay code for some milliseconds using promise.
@@ -16,3 +17,74 @@ export const delay = (duration) =>
   new Promise((resolve) => {
     setTimeout(resolve, duration);
   });
+
+/**
+ * Decode URL Base64 string
+ *
+ * This method was taken from https://github.com/topcoder-platform/tc-auth-lib/blob/dev/src/token.js
+ *
+ * @param {string} str URL base 64 string
+ *
+ * @returns {string} JSON string
+ */
+function urlBase64Decode(str) {
+  let output = str.replace(/-/g, "+").replace(/_/g, "/");
+
+  switch (output.length % 4) {
+    case 0:
+      break;
+
+    case 2:
+      output += "==";
+      break;
+
+    case 3:
+      output += "=";
+      break;
+
+    default:
+      throw new Error("Illegal base64url string!");
+  }
+  return decodeURIComponent(escape(atob(output))); //polyfill https://github.com/davidchambers/Base64.js
+}
+
+/**
+ * Decode data of the bearer user token
+ *
+ * This method was taken from https://github.com/topcoder-platform/tc-auth-lib/blob/dev/src/token.js
+ *
+ * @param {string} token Bearer user token
+ */
+export function decodeToken(token) {
+  const parts = token.split(".");
+
+  if (parts.length !== 3) {
+    throw new Error("The token is invalid");
+  }
+
+  const decoded = urlBase64Decode(parts[1]);
+
+  if (!decoded) {
+    throw new Error("Cannot decode the token");
+  }
+
+  // covert base64 token in JSON object
+  let t = JSON.parse(decoded);
+
+  // tweaking for custom claim for RS256
+  t.userId = _.parseInt(
+    _.find(t, (value, key) => {
+      return key.indexOf("userId") !== -1;
+    })
+  );
+
+  t.handle = _.find(t, (value, key) => {
+    return key.indexOf("handle") !== -1;
+  });
+
+  t.roles = _.find(t, (value, key) => {
+    return key.indexOf("roles") !== -1;
+  });
+
+  return t;
+}
diff --git a/src/utils/permissions.js b/src/utils/permissions.js
new file mode 100644
index 00000000..319e84c3
--- /dev/null
+++ b/src/utils/permissions.js
@@ -0,0 +1,162 @@
+import _ from "lodash";
+import store from "../store";
+
+/**
+ * Check if user has permission.
+ * - By default this method if logged-in user has `permission` for the project
+ *   currently loaded in the Redux Store.
+ * - Optionally, we can check permission for another `project` or `user` by passing them in `entities` argument.
+ *
+ * `permission` may be defined in two ways:
+ *  - **Full** way with defined `allowRule` and optional `denyRule`, example:
+ *    ```js
+ *    {
+ *       allowRule: {
+ *          projectRoles: [],
+ *          topcoderRoles: []
+ *       },
+ *       denyRule: {
+ *          projectRoles: [],
+ *          topcoderRoles: []
+ *       }
+ *    }
+ *    ```
+ *    If user matches `denyRule` then the access would be dined even if matches `allowRule`.
+ *  - **Simplified** way may be used if we only want to define `allowRule`.
+ *    We can skip the `allowRule` property and define `allowRule` directly inside `permission` object, example:
+ *    ```js
+ *    {
+ *       projectRoles: [],
+ *       topcoderRoles: []
+ *    }
+ *    ```
+ *    This **simplified** permission is equal to a **full** permission:
+ *    ```js
+ *    {
+ *       allowRule: {
+ *         projectRoles: [],
+ *         topcoderRoles: []
+ *       }
+ *    }
+ *    ```
+ *
+ * @param {Object}        permissionRule               permission rule
+ * @param {Array<String>} permissionRule.projectRoles  the list of project roles of the user
+ * @param {Array<String>} permissionRule.topcoderRoles the list of Topcoder roles of the user
+ * @param {Object}        [entities]                   `project` and `user` which has to be used to check permission
+ * @param {Object}        [entities.project]           project
+ * @param {Array}         entities.project.members     list of project members
+ * @param {Object}        [entities.user]              user
+ * @param {String}        entities.user.role                    user Project Role
+ *
+ * @returns {Boolean}     true, if has permission
+ */
+export const hasPermission = (permission, entities = {}) => {
+  const user = entities.user || _.get(store.getState(), "authUser", {});
+  // TODO: at the moment there is no place in Redux Store where we store project, so we have to always pass it manually
+  const project = entities.project || null;
+
+  const allowRule = permission.allowRule ? permission.allowRule : permission;
+  const denyRule = permission.denyRule ? permission.denyRule : null;
+
+  const allow = matchPermissionRule(allowRule, user, project);
+  const deny = matchPermissionRule(denyRule, user, project);
+
+  return allow && !deny;
+};
+
+/**
+ * Check if user match the permission rule.
+ * (Helper method, most likely wouldn't be used directly).
+ *
+ * This method uses permission rule defined in `permissionRule`
+ * and checks that the `user` matches it.
+ *
+ * If we define a rule with `projectRoles` list, we also should provide `projectMembers`
+ * - the list of project members.
+ *
+ * `permissionRule.projectRoles` may be equal to `true` which means user is a project member with any role
+ *
+ * `permissionRule.topcoderRoles` may be equal to `true` which means user is a logged-in user
+ *
+ * @param {Object}        permissionRule               permission rule
+ * @param {Array<String>|Array<Object>|Boolean} permissionRule.projectRoles  the list of project roles of the user
+ * @param {Array<String>|Boolean} permissionRule.topcoderRoles the list of Topcoder roles of the user
+ * @param {Object}        user                         user for whom we check permissions
+ * @param {String}        user.role                    user Project Role
+ * @param {Object}        [project]                    project object - required to check `topcoderRoles`
+ * @param {Array}         project.members              list of project members - required to check `topcoderRoles`
+ *
+ * @returns {Boolean}     true, if has permission
+ */
+const matchPermissionRule = (permissionRule, user, project) => {
+  let hasProjectRole = false;
+  let hasTopcoderRole = false;
+
+  // if no rule defined, no access by default
+  if (!permissionRule) {
+    return false;
+  }
+
+  if (permissionRule.projectRoles && !project) {
+    throw new Error(
+      'You are trying to check permission using permission rule with "projectRoles", but you didn\'t pass "project" object.'
+    );
+  }
+
+  // check Project Roles
+  if (permissionRule.projectRoles && project && project.members) {
+    if (_.some(permissionRule.projectRoles, (rule) => _.isArray(rule))) {
+      throw new Error(
+        'Role cannot be an array. Make sure, that "projectRoles" doesn\'t have nested arrays: ' +
+          JSON.stringify(permissionRule.projectRoles)
+      );
+    }
+    const userId = !_.isNumber(user.userId)
+      ? parseInt(user.userId, 10)
+      : user.userId;
+    const member = _.find(project.members, { userId });
+
+    if (permissionRule.projectRoles.length > 0) {
+      // as we support `projectRoles` as strings and as objects like:
+      // { role: "...", isPrimary: true } we have normalize them to a common shape
+      const normalizedProjectRoles = permissionRule.projectRoles.map((rule) =>
+        _.isString(rule) ? { role: rule } : rule
+      );
+      hasProjectRole =
+        member &&
+        _.some(normalizedProjectRoles, (rule) =>
+          // checks that common properties are equal
+          _.isMatch(member, rule)
+        );
+    } else if (permissionRule.projectRoles === true) {
+      // `projectRoles === true` means that we check if user is a member of the project
+      // with any role
+      hasProjectRole = !!member;
+    }
+  }
+
+  // check Topcoder Roles
+  if (permissionRule.topcoderRoles) {
+    if (_.some(permissionRule.topcoderRoles, (rule) => _.isArray(rule))) {
+      throw new Error(
+        'Role cannot be an array. Make sure, that "topcoderRoles" doesn\'t have nested arrays: ' +
+          JSON.stringify(permissionRule.topcoderRoles)
+      );
+    }
+    if (permissionRule.topcoderRoles.length > 0) {
+      hasTopcoderRole =
+        _.intersection(
+          _.get(user, "roles", []).map((role) => role.toLowerCase()),
+          permissionRule.topcoderRoles.map((role) => role.toLowerCase())
+        ).length > 0;
+    } else if (permissionRule.topcoderRoles === true) {
+      // `topcoderRoles === true` means that we check if user is has any Topcoder role
+      // basically this equals to logged-in user, as all the Topcoder users
+      // have at least one role `Topcoder User`
+      hasTopcoderRole = _.get(user, "roles").length > 0;
+    }
+  }
+
+  return hasProjectRole || hasTopcoderRole;
+};