Python RBAC: Role-Based Access Control in Python

What is RBAC?

Roles, also known as “role-based access control,” are a common way to simplify authorization logic for both engineers and users.

role is a way to group permissions. When a user is assigned a role, the user gets every permission that the role has.

permission is an action that a user can take on a resource. For example, we might say that a user in an organization has permission to read repositories.

There are a number of variations on role-based access to allow for more flexible groupings of permissions, like:

Oso Cloud is an authorization service for building RBAC in Python.

  • Oso Cloud is fully-managed and deployed across multiple regions for low-latency and high availability
  • Oso Cloud comes out of the box with primitives for role-based access control (RBAC). It also includes built-ins for other access control models like relationship-based access control (ReBAC).
  • You provide Oso Cloud with the requisite authorization data, then your RBAC policy operates that data to make authorization decisions at runtime.
  • Oso can provide yes/no authorization decisions, as well as filter lists of data.

Express RBAC in Python with Oso Cloud.

To authorize whether a user has the role required to perform an action on a resource, call Oso in your controller.

You’ll also write an Oso policy—that is, a set of rules—to implement role-based authorization. Here, we’ll show a policy for an app for source code hosting like GitHub or GitLab.

In this policy, users may or may not be able to read or make changes to a repository, depending on whether they’re members or owners. That means we need authorization based on users’ roles.

For a detailed guide on RBAC, read our technology-agnostic Authorization Academy guide to RBAC.

Oso isn’t limited to RBAC. It comes with primitives for other common access control models, like Relationship-based authorization, or ReBAC. For a guide on other authorization patterns, take a look at our guide on authorization modeling covering roles, hierarchies, groups, and other patterns.

Filter Data Based on a User’s Role.

Your app needs to be able to return all the repos that a user can see based on their role and any other relevant criteria. To do this we can use the list method.

Here's that in the Python app again:

How to get started with RBAC in Python.

Create an Oso Cloud account, then try the guide on adding Oso Cloud to your Python app with RBAC.

Feel free to set up a 1x1 with an Oso engineer to learn more about RBAC in Python, Oso Cloud, or just authorization in general.

Learn more about RBAC concepts, architecture, and best practices.

We've written an Authorization Academy to help you get started with RBAC and other authorization topics. The guide is language and technology-agnostic and covers industry-standard authorization concepts. Learn:

  • How to architect your app for RBAC.
  • Common access control models like role-based access control (RBAC) and relationship-based access control (ReBAC) – like when to use them and how to implement them.
  • Where to enforce authorization at various layers in your app.

Then join the community of thousands of developers in the Oso Slack (including many Pythonistas!) We'd love to talk about what you're working on and answer any questions you have.

Level up your authorization knowledge

Learn the basics

A list of FAQs related to application authorization.

Read Authorization Academy

A series of technical guides for building application authorization.

Explore more about Oso

Enterprise-grade authorization without redoing your application architecture.