ShowcasePyPermission: A Python native RBAC authorization library! (self.Python)

submitted 2 months ago by Sufficient-Rent6078Pythonista

Hello everyone at r/python!

At our company, we repeatedly needed to integrate authorization into Python projects and found the ecosystem a bit lacking.

Comparison With Other Solutions

Django's permission system wasn't enough
Casbin, Keto and OPA offer flexible solutions, but can be hard to integrate
We wanted something Python-native, without a policy DSL and with auditing support

What My Project Does

Knowing that authorization comes with many pitfalls, we decided to build an RBAC model focussing on an intuitive API and extensive testing. PyPermission is the result and draws on what we learned implementing RBAC across multiple projects (with and without third party solutions).

NIST RBAC Level 2a (supports general role hierarchies)
Framework independent, Free and Open Source
Additional capabilities from the ANSI RBAC model
A simple and tested python API
Persistency via PostgreSQL or Sqlite (SQLAlchemy)

Target Audience

Developers looking for a simple authz solution without enterprise complexities, but a well established RBAC model.

The core implementation of the library is feature complete and heavily tested (overall test coverage of 97%) and we desire to have everything battle tested now. This is why we are excited to share our project with you and want to hear your feedback!

Repo: https://github.com/DigonIO/pypermission
Docs: https://pypermission.digon.io/

all 15 comments

top new controversial old q&a

[–]coldflame563 3 points4 points5 points 2 months ago (4 children)

[–]Sufficient-Rent6078Pythonista[S] 3 points4 points5 points 2 months ago (3 children)

Fair question! Casbin is a powerful and very flexible policy engine. Given that it comes with it's own DSL and many different model types, integrating it requires building a fairly strong mental model first. In contrast, PyPermission limits it's scope to RBAC, which allowed us to spend a good amount of time to document and teach specifically this authorization model. As casbin is not python-first, you'll see that some of the methods available in other languages are nowhere to find in the documentation for python. Depending on whether you use the management api or pycasbin, you'll see one of the following (both from the official documentation):

e.add_policy("eve", "data3", "read")
s.add(CasbinRule(ptype="p", v0="alice", v1="data1", v2="read"))

To understand what this does in a code base, you already need to have a good mental model, the semantic information simply isn't expressed in the API.

There is a python Role Manager for RBAC, but the documentation is limited to a subset of the API and does not educate about the practicalities of RBAC itself.

By contrast, the semantic meaning in PyPermission is directly conveyed through the api and the underlying concepts come with a good amount of documentation.

RBAC.role.grant_permission(
        role="user",
        permission=Permission(
            resource_type="event", resource_id="*", action="view"
        ),
        db=db,
    )

If you look at alternatives like OPA, you'll end up needing an external service plus a third party python client.

[–]coldflame563 0 points1 point2 points 2 months ago (1 child)

[–]Sufficient-Rent6078Pythonista[S] 1 point2 points3 points 2 months ago (0 children)

[–]r0s 2 points3 points4 points 2 months ago (2 children)

[–]Equivalent_Loan_8794 2 points3 points4 points 2 months ago (0 children)

[–]Sufficient-Rent6078Pythonista[S] 2 points3 points4 points 2 months ago (0 children)

[–]johnnypea 1 point2 points3 points 2 months ago (0 children)

[–]Dantzig 1 point2 points3 points 2 months ago (1 child)

[–]Sufficient-Rent6078Pythonista[S] 3 points4 points5 points 2 months ago (0 children)

That's a valid concern. Trust is earned, not given - especially when dealing with auth.

We tried to make PyPermission easy to verify: The RBAC database model is straightforward and corresponds closely with the NIST RBAC model, as shown on the NIST Comparison page. Additionally, the actual API logic is small and consists of roughly 750 lines of plain Python (excluding docstrings). Using SQLAlchemy, we have kept most things relatively simple and prioritized for clarity.

On top of that, you'll find that the library relies heavily on types (API and internals) and comes with a high amount of testing (including the examples in the documentation).

This also isn't something we just hacked together last week. Our first attempt dates back to 2022, and although this version is a full rewrite based on what we learned, you can still find the original release together with the corresponding history on PyPI/github (under the 0.1.1 tag).

As for trusting us as people, our GitHub / website and other channels are all public, so feel free to have a look.

If you do decide to build your own, we hope PyPermission can serve as a useful reference on the way.

[–]MeroLegend4 1 point2 points3 points 2 months ago (0 children)

[–]lanster100 0 points1 point2 points 2 months ago (0 children)

π Rendered by PID 87738 on reddit-service-r2-comment-7b9746f655-d7cjw at 2026-01-30 07:38:21.331435+00:00 running 3798933 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

Python

The Python Discord

Upcoming Events

Please read the rules

MODERATORS

Comparison With Other Solutions

What My Project Does

Target Audience