Django Object-Level Permissions Guide (RBAC) with django-guardian

In many real-world applications, simply authenticating users is not enough. Different users often need different levels of access to specific resources. For example, a manager might be able to edit all records, while a regular employee can only view or edit the records assigned to them.

This is where Role-Based Access Control (RBAC) becomes important.

Django provides a built-in permission system, but it mainly supports model-level permissions. Sometimes we need more fine-grained control where permissions apply to specific objects instead of the entire model.

The django-guardian package extends Django’s permission system and allows developers to implement object-level permissions easily.

 

---

In this blog, we will explore:

1. Object-level permissions
2. Assigning permissions per user
3. Securing APIs and views

 

---

1. Object-Level Permissions

By default, Django permissions apply to an entire model. For example:

• add_document
• change_document
• delete_document
• view_document

If a user has the change_document permission, they can modify all documents in the database.

However, in many applications we want more control. For example:

• User A can edit Document A
• User B can edit Document B
• Other users can only view those documents

This is known as object-level permission, where access is granted to a specific object instance. The django-guardian library makes this possible by extending Django’s permission framework.

 

---

Installing django-guardian

First, install the package:

 

Add it to INSTALLED_APPS in your Django settings:

 

 

Next, configure the authentication backends:

 

Finally, run migrations:

 

 

---

2. Assigning Permissions per User

Once django-guardian is installed, you can assign permissions to a specific user for a specific object.

Example Model
 

 

Now you can assign permissions to a user using assign_perm:

This means the user can only view or modify that particular document, not all documents in the system.

 

---

Checking Permissions

You can check whether a user has permission for a specific object using has_perm:

 

If the user does not have permission, the action should be restricted.

 

---

3. Securing Django Views

Object-level permissions can be used to protect views so that users can only access resources they are allowed to manage.

Securing a View

 

 

---

Securing APIs with Django REST Framework

If you are using Django REST Framework, you can also enforce object-level permissions in APIs.

Custom Permission Class

 

 

 

---

Using in a ViewSet

 

 

 

---

 

Filtering Objects by Permission

django-guardian also provides utilities to fetch only the objects a user has permission for:

 

This is useful for list views and APIs, ensuring that users only see the data they are authorized to access.

 

---

Benefits of Using django-guardian

Using django-guardian provides several advantages:

• Fine-grained access control
• Object-level permission support
• Seamless integration with Django’s built-in permission system
• Better security for multi-user applications

It is especially useful for systems like:

• CRM platforms
• SaaS applications
• Document management systems
• Project management tools

 

---

Final Thoughts

Implementing proper access control is essential for building secure applications. While Django’s default permission system handles many cases, it does not support object-level permissions out of the box.

With django-guardian, developers can easily assign permissions to specific users for specific objects, enabling more flexible and secure authorization systems.

By combining object-level permissions, per-user permission assignment, and secured APIs, you can build scalable applications with strong access control.