SDKsPython SDKAdmin API
Permissions
Check, grant, and revoke permissions with the Python SDK.
Permissions
check()
allowed = client.permissions.check(
subject="user:usr_jane",
relation="editor",
object="project:proj_abc123",
)
if allowed:
print("Access granted")
else:
print("Access denied")grant()
client.permissions.grant(
subject="user:usr_jane",
relation="editor",
object="project:proj_abc123",
)revoke()
client.permissions.revoke(
subject="user:usr_jane",
relation="editor",
object="project:proj_abc123",
)list_objects()
result = client.permissions.list_objects(
subject="user:usr_jane",
relation="editor",
object_type="project",
)
for obj in result.objects:
print(obj) # "project:proj_abc123"list_subjects()
result = client.permissions.list_subjects(
object="project:proj_abc123",
relation="editor",
)
for subject in result.subjects:
print(subject) # "user:usr_jane", "group:grp_engineering"Decorator for Flask/FastAPI
from functools import wraps
def require_permission(relation: str, object_fn):
"""Decorator to check permissions before executing a handler."""
def decorator(f):
@wraps(f)
def wrapper(*args, **kwargs):
user_id = g.user_id # Set by auth middleware
obj = object_fn(kwargs)
allowed = client.permissions.check(
subject=f"user:{user_id}",
relation=relation,
object=obj,
)
if not allowed:
return jsonify({"error": "forbidden"}), 403
return f(*args, **kwargs)
return wrapper
return decorator
# Usage:
@app.route("/projects/<project_id>", methods=["PUT"])
@require_auth
@require_permission("editor", lambda kw: f"project:{kw['project_id']}")
def update_project(project_id):
# User has editor permission
...See also
- Users -- User management
- Organizations -- Org management