Role-Based Access Control in Python — ELI5

Imagine a big hotel. When you check in, you get a keycard. That keycard lets you into your room, the gym, and the pool. But it won’t open other people’s rooms, the manager’s office, or the maintenance hallways.

A hotel manager’s keycard opens a lot more doors. The cleaning staff’s keycard opens guest rooms during certain hours. Everyone has a card, but what each card opens depends on the person’s role in the hotel.

That’s Role-Based Access Control (RBAC). Instead of deciding permissions for each individual person, you create roles — like “Guest”, “Manager”, “Housekeeping” — and attach permissions to the role. Then you assign people to roles.

In a web application, this means:

• A viewer role can read content but not change it
• An editor role can read and write content
• An admin role can do everything, including managing other users

When a new employee joins your company, you don’t need to set up 47 individual permissions. You just assign them the “editor” role, and they instantly get all the permissions editors need.

If someone changes jobs — say, from editor to manager — you change their role, and their permissions update automatically. No need to add or remove individual permissions one by one.

In Python, you write code that checks the user’s role before allowing an action. “Want to delete a post? Let me check… you’re an editor? Sorry, only admins can delete. Want to edit it? Editor role? Go ahead.”

The one thing to remember: RBAC groups permissions into roles (like job titles), so instead of managing permissions for every person individually, you just assign them the right role and the permissions follow.