{"id":13678377,"url":"https://github.com/muratgozel/py-rbac","last_synced_at":"2025-07-29T04:32:38.211Z","repository":{"id":61946726,"uuid":"322868787","full_name":"muratgozel/py-rbac","owner":"muratgozel","description":"Python implementation of the NIST model for role based access control (RBAC).","archived":false,"fork":false,"pushed_at":"2020-12-21T02:30:02.000Z","size":10,"stargazers_count":28,"open_issues_count":0,"forks_count":9,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-11-11T20:35:16.994Z","etag":null,"topics":["access-control","python","rbac","role-based-access-control"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/muratgozel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":null,"patreon":null,"open_collective":null,"ko_fi":"muratgozel","tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2020-12-19T14:43:06.000Z","updated_at":"2024-05-02T14:21:50.000Z","dependencies_parsed_at":"2022-10-24T01:00:17.564Z","dependency_job_id":null,"html_url":"https://github.com/muratgozel/py-rbac","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muratgozel%2Fpy-rbac","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muratgozel%2Fpy-rbac/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muratgozel%2Fpy-rbac/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muratgozel%2Fpy-rbac/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/muratgozel","download_url":"https://codeload.github.com/muratgozel/py-rbac/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227981888,"owners_count":17850920,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","python","rbac","role-based-access-control"],"created_at":"2024-08-02T13:00:52.944Z","updated_at":"2024-12-03T19:12:47.815Z","avatar_url":"https://github.com/muratgozel.png","language":"Python","funding_links":["https://ko-fi.com/muratgozel","https://ko-fi.com/F1F1RFO7"],"categories":["Python"],"sub_categories":[],"readme":"# py-rbac\nPython implementation of the NIST model for role based access control (RBAC).\n\n![PyPI](https://img.shields.io/pypi/v/py-rbac)\n![PyPI - Python Version](https://img.shields.io/pypi/pyversions/py-rbac)\n\n[The NIST model][95961bd8] proposes four level of role based access control implementation:\n1. **Flat**\n- users acquire permissions through roles\n- must support many-to-many user-role assignment\n- must support many-to-many permission-role assignment\n- must support user-role assignment review\n- users can use permissions of multiple roles simultaneously\n2. **Hierarchical**\n- Flat +\n- must support role hierarchy (partial order)\n- arbitrary hierarchies\n- limited hierarchies\n3. **Constrained**\n- Hierarchical +\n- must enforce separation of duties (SOD)\n- arbitrary hierarchies\n- limited hierarchies\n4. **Symmetric**\n- Constrained +\n- must support permission-role review with performance effectively comparable to user-role review\n- arbitrary hierarchies\n- limited hierarchies\n\nThis library supports Level 1, 2 and 3.\n\n## Usage\nI've tried to explain the usage based on levels but the library is flexible enough to\nuse any feature freely without thinking about levels.\n\n### Install\nThrough pip:\n```sh\npip install py-rbac\n```\n\n### Flat Scenario\nThis is the simplest scenario an mostly used I think. Let's configure it first:\n```py\nfrom rbac import RBAC\n\nrbac = RBAC()\n\n# a role for junior editors\njr_editor = rbac.create_role('jr_editor')\n\n# a domain or resource is also an object\narticle = rbac.create_domain('article')\n\n# create permissions\ncreate = rbac.create_permission('c')\nread = rbac.create_permission('r')\nupdate = rbac.create_permission('u')\ndelete = rbac.create_permission('d')\n\n# give junior a read permission for articles\njr_editor.add_permission(read, article)\n\n# lets create a subject. a user or a third party client\nsubject = rbac.create_subject('some_int_or_str')\n\n# our subject is new in the job\nsubject.authorize(jr_editor)\n\n# lock rbac configuration\n# this validates the entire structure of our configuration\n# will sense more meaning as we use advanced features below\nrbac.lock()\n```\nAfter your application executed some code and is about respond client's request:\n```py\n# check if the client is allowed to...\nrbac.go('some_int_or_str', article, create)\n# this will raise an exception since we didn't give a create permission to our junior\n# raised RBACAuthorizationError\n```\n\n### Hierarchical Scenario\nIn this example, there are hierarchical relationships between roles. Each role\ninherits its children roles and permissions. (Inheriting can be disabled but\nreview this scenario first.) Configure and lock as always:\n```py\nfrom rbac import RBAC\n\nrbac = RBAC()\n\njr_editor = rbac.create_role('jr_editor')\neditor = rbac.create_role('editor', children=jr_editor)\nit = rbac.create_role('it', children=(jr_editor, editor))\n\narticle = rbac.create_domain('article')\nservice_conf = rbac.create_domain('service_conf')\n\ncreate = rbac.create_permission('c')\nread = rbac.create_permission('r')\nupdate = rbac.create_permission('u')\ndelete = rbac.create_permission('d')\n\njr_editor.add_permission(read, article)\neditor.add_permission(create, article)\nit.add_permission((create, read, update, delete), service_conf)\n\njohn = rbac.create_subject(1)\njohn.authorize(jr_editor)\njack = rbac.create_subject(2)\njack.authorize(editor)\nmark = rbac.create_subject(3)\nmark.authorize(it)\n\nrbac.lock()\n```\nRun:\n```py\nassert rbac.go(2, article, read) is None\nassert rbac.go(1, article, read) is None\nassert rbac.go(3, article, create) is None\nassert rbac.go(3, service_conf, create) is None\n\n# will raise\ntry:\n  rbac.go(1, article, create)\nexcept RBACAuthorizationError as e:\n  raise\n```\n### Constrained Scenario\nIn this scenario, there are constraints. Constraints restricts the authorization\nflow as they are being applied through RBAC objects. Configure and lock:\n```py\nfrom rbac import RBAC\n\n# an article from our application! we use this as our domain\nclass Article():\n  \"\"\"docstring for Article.\"\"\"\n\n  def __init__(self, id, author):\n    self.id = id\n    self.author = author\n\nrbac = RBAC()\n\n# we can only allow one person to be assigned to this role\njr_editor = rbac.create_role('jr_editor', max_subjects=1)\n# we may have editors up to 10\neditor = rbac.create_role('editor', children=jr_editor, max_subjects=10)\n# a chief role for one person but it won't inherit its children permissions\nchief = rbac.create_role('chief', children=(jr_editor, editor), inherit=False, max_subjects=1)\n\n# we use Article object as input to our RBACDomain but why an object?\n# specifically for the match_domain_prop constraint.\narticle = rbac.create_domain(Article)\n\n# as usual\ncreate = rbac.create_permission('c')\nread = rbac.create_permission('r')\nupdate = rbac.create_permission('u')\ndelete = rbac.create_permission('d')\n\n# our junior can read and create articles...\njr_editor.add_permission((create, read), article)\n# ... but can only remove the ones which he/she wrote\n# match_domain_prop constraint indicates that the article instance property\n# \"author\" should match with the at-then id of the subject.\njr_editor.add_permission(delete, article, match_domain_prop='author')\neditor.add_permission(create, article)\n\n# defining 2 jrs... hmmm\njohn = rbac.create_subject(1)\njohn.authorize(jr_editor)\nanother_john = rbac.create_subject(2)\nanother_john.authorize(jr_editor)\n\n# this will raise because our jr role can have 1 jrs max.\ntry:\n  rbac.lock()\nexcept RBACConfigurationError as e:\n  raise\n\n# ok then, fire another_john!\nanother_john.revoke(rbac.get_role_by_name('jr_editor'))\n\n# now locked.\nassert rbac.lock() is None\n\n# or unblock and add 2 more subject:\nrbac.unlock()\njack = rbac.create_subject(3)\njack.authorize(editor)\nbrad = rbac.create_subject(4)\nbrad.authorize(chief)\n\nrbac.lock()\n```\nOur API received a request about deleting some article:\n```py\nsome_article = Article(28372, 1)\n# our junior john trying to delete an article\n# the library will match the john's id which is 1 with the article's author and\n# allow the operation if they match.\nassert rbac.go(1, some_article, delete) is None\n```\n\n## Versioning\nThis library uses calendar versioning.\n\n  [95961bd8]: https://csrc.nist.gov/CSRC/media/Publications/conference-paper/2000/07/26/the-nist-model-for-role-based-access-control-towards-a-unified-/documents/sandhu-ferraiolo-kuhn-00.pdf \"The NIST model for role based access control\"\n\nThanks for watching 🐬\n\n[![ko-fi](https://www.ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/F1F1RFO7)\n\n## Contribution\nThis project uses pipenv to manage its dependencies. The only dependency it has\nis the pytest package which is used in development.\n\n1. Clone the repository.\n2. Run `pipenv install`\n3. Make updates.\n4. Run `pytest` under `pipenv shell`\n5. Run `git push origin master` and create a pull request.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmuratgozel%2Fpy-rbac","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmuratgozel%2Fpy-rbac","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmuratgozel%2Fpy-rbac/lists"}