The way to create permissions in a custom module is by creating a *.permissions.yml file and adding the definitions in there. Consider the following example:
administer my feature: title: 'Administer my feature' restrict access: true
In this example, administer my feature is the machine name of the permission and actually the most important part. This is what you will use in your code to reference it. Then, we have a title that shows up on the permissions management page we saw earlier. Finally, we have a restrict access key by which we can specify whether we need a warning to be output on the permissions management page regarding the security implications, as follows: Warning: Give to trusted roles only; this permission has security implications:
This is to indicate that our permission is more sensitive and administrators should pay attention to who they assign it to. This option can, however, be left out (as you will see in most cases actually).
You may have noticed the static nature of this way of defining permissions. In other words, we hardcoded the permission name and only have one permission. In most cases, this will be fine. However, there can be times where you will need multiple permissions defined dynamically based on some other factors in your application. For this, we can use a permission callback.
For example, the Node module defines individual permissions to manage each of its bundles, and this makes sense. Some roles should have access to some bundles while other roles should have access to other bundles. However, there is no way it can know which bundles it will have at any given point. So, it uses a permission callback:
permission_callbacks: - \Drupal\node\NodePermissions::nodeTypePermissions
This is found in the node.permissions.yml file just like the statically defined ones, but it delegates the responsibility of getting the permissions to the nodeTypePermissions method of the NodePermissions class. This is the same notation we use to define Controllers in the route. As a matter of fact, the same class resolver is used to instantiate it.