1. First, we will need to define an administration permission for the entity. This is done by ensuring that the admin_permission key is present in the entity's annotation document block:

/** 
 * Defines the message entity class. 
 * 
 * @ContentEntityType( 
 *   id = "message", 
 *   label = @Translation("Message"), 
 *   handlers = {...}, 
 *   base_table = "message", 
 *   fieldable = TRUE, 
 *   admin_permission = "administer messages", 
 *   entity_keys = { 
 *     "id" = "message_id", 
 *     "label" = "title", 
 *     "langcode" = "langcode", 
 *     "uuid" = "uuid" 
 *   }, 
 *   links = {...}, 
 * ) 
 */ 

The entity access handler provided by the core will check whether entities implement this option. If it is provided, it will be used as the basis for access checks.

2. Next, we will want to specify permissions that are granular per bundle:

/** 
 * Defines the message entity class. 
 * 
 * @ContentEntityType( 
 *   id = "message", 
 *   label = @Translation("Message"), 
 *   handlers = {...}, 
 *   base_table = "message", 
 *   fieldable = TRUE, 
 *   admin_permission = "administer messages", 
 *   permission_granularity = "bundle", 
 *   bundle_entity_type = "message_type", 
 *   field_ui_base_route = "entity.message_type.edit_form", 
 *   entity_keys = { 
 *     "id" = "message_id", 
 *     "label" = "title", 
 *     "langcode" = "langcode", 
 *     "bundle" = "type", 
 *     "uuid" = "uuid" 
 *   }, 
 *  links = {...}, 
 * ) 
 */ 
 

The permission_granularity key will tell the system what permissions should be generated and how the access should be checked. This way, one user could create Announcement messages but not Bulletin messages.

3. Then, we define the permission_provider handler, which will generate our permissions:

/** 
 * Defines the message entity class. 
 * 
 * @ContentEntityType( 
 *   id = "message", 
 *   label = @Translation("Message"), 
 *   handlers = { 
 *     "list_builder" = "Drupal\mymodule\MessageListBuilder", 
 *     "permission_provider" = "\Drupal\entity\EntityPermissionProvider", 
 *     "form" = {...}, 
 *     "route_provider" = {...}, 
 *   }, 
 *   base_table = "message", 
 *   fieldable = TRUE, 
 *   admin_permission = "administer messages", 
 *   permission_granularity = "bundle", 
 *   bundle_entity_type = "message_type", 
 *   field_ui_base_route = "entity.message_type.edit_form", 
 *   entity_keys = {...}, 
 *  links = {...}, 
 * ) 
 */ 
 

4. The final adjustment to our entity annotation is to change the default access handler:

/** 
 * Defines the message entity class. 
 * 
 * @ContentEntityType( 
 *   id = "message", 
 *   label = @Translation("Message"), 
 *   handlers = { 
 *     "list_builder" = "Drupal\mymodule\MessageListBuilder", 
 *     "access" = "\Drupal\entity\EntityAccessControlHandler", 
 *     "permission_provider" = "\Drupal\entity\EntityPermissionProvider", 
 *     "form" = {...}, 
 *     "route_provider" = {...}, 
 *   }, 
 *   base_table = "message", 
 *   fieldable = TRUE, 
 *   admin_permission = "administer messages", 
 *   permission_granularity = "bundle", 
 *   bundle_entity_type = "message_type", 
 *   field_ui_base_route = "entity.message_type.edit_form", 
 *   entity_keys = {...}, 
 *  links = {...}, 
 * ) 
 */ 
 

5. Rebuild Drupal's caches, or install the module if it is not yet installed.

6. Verify that the permissions are available on the permission's overview page: