Give permissions to users per company

PauwelsPieter · March 16, 2022, 7:26pm

Hi there!

In my case I have different users which can be part of different companies. An user can belong to multiple companies and a company has multiple customers, products, services, …

Now I want the user to be able to have different permissions per company. So let’s say user X can manage the customers in company A but can only read the products and services. And user X can manage the users, products and services in company B.

I would like to work with roles: so manage everything would be the role “superadmin” and manage customers but read products and services would be the role “sales” for example.

So in short: I want to create roles where I can assing permssions to and then add these roles to users per company.

I am planning on using rsinger86/ drf-access-policy to manage access control but any suggestions are welcome.

Please suggest me a good way to accomplish this scenario. How am I able to add roles per company and am I still able to use the by-default-generated auth_permissions from Django?

Thank you in advance!

CodenameTim · March 18, 2022, 1:32am

I don’t think this is possible since Django’s permission model doesn’t support references to specific objects. However, you may be able to find another package that can help: Django Packages : Permissions

KenWhitesell · March 18, 2022, 1:57am

I’m sorry, I’m going to have to disagree with you here.

Actually, the permissions model supports per-row security quite well. The various combinations of has_perms, get_user_permissions, and the other available functions allow for the creation of just about any degree of complexity desired.

Override the User has_perm method and you can determine whether or not that user has access to the provided object.

What Django doesn’t have is a default implementation. (It would be extremely difficult to provide a general implementation that actually does something worthwhile.)

Side note: We’ve got a rather intricate row-level permissions system that grants access not just based on the row itself, but also the data within each row. (A user’s access to a row can change when the data changes.) It’s all built on top of the Django permissions model.

CodenameTim · March 18, 2022, 2:06am

No need to apologize, I’m glad you chimed in. I stand corrected.

Topic		Replies	Views
Django custom user backend portal Using Django	2	535	April 4, 2021
django admin permissions for specific fields in models Using Django	1	4116	May 17, 2020
Field Level Security in admin panel for each Profile/Group Getting Started	3	154	January 25, 2024
Which part of Django API should I learn if I want to implement access control settings at a model-level? Getting Started	1	401	May 3, 2022
Give users permissions through ForeignKey to a models.Model. Forms & APIs	1	140	November 17, 2023

Give permissions to users per company

Related Topics