Permissions

Check if a user has specific permissions for fine-grained access control.

When to use: When you need action-level access control like "can user delete this document?"

Prerequisites

• Completed Login

• Have a user object from authentication

5-Line Core

if user.has_permission("documents:delete"):
    delete_document(doc_id)
else:
    raise HTTPException(403, "Permission denied")

Step-by-Step

1

Check Single Permission

if user.has_permission("documents:read"):
    print("User can read documents")

2

Check All Permissions (AND)

if user.has_all_permissions(["documents:read", "documents:write"]):
    print("User has full document access")

3

Check Any Permission (OR)

if user.has_any_permission(["admin:all", "documents:manage"]):
    print("User can manage documents")

4

View User's Permissions

print(f"Permissions: {user.permissions}")

5

Expected Output

User can read documents
Permissions: ['documents:read', 'documents:write']

You can check permissions!

Complete Example

Create permissions.py:

"""GL IAM Permissions Example."""

import asyncio

from gl_iam import IAMGateway
from gl_iam.core.types import PasswordCredentials
from gl_iam.providers.postgresql import PostgreSQLProvider, PostgreSQLConfig

DATABASE_URL = "postgresql+asyncpg://postgres:postgres@localhost:5432/gliam"


async def main():
    # Setup
    config = PostgreSQLConfig(database_url=DATABASE_URL)
    provider = PostgreSQLProvider(config)
    gateway = IAMGateway.from_fullstack_provider(provider)

    # Login to get user
    result = await gateway.authenticate(
        credentials=PasswordCredentials(email="alice@example.com", password="SecurePass123"),
        organization_id="default",
    )
    user, token = result.unwrap()

    print(f"User: {user.email}")
    print(f"Permissions: {user.permissions}")

    # Single permission check
    print("\n--- Single Permission ---")
    print(f"Can read docs: {user.has_permission('documents:read')}")
    print(f"Can delete docs: {user.has_permission('documents:delete')}")

    # All permissions (AND)
    print("\n--- All Permissions (AND) ---")
    if user.has_all_permissions(["documents:read", "documents:write"]):
        print("✓ Has full document access")
    else:
        print("✗ Missing some document permissions")

    # Any permission (OR)
    print("\n--- Any Permission (OR) ---")
    if user.has_any_permission(["admin:all", "documents:read"]):
        print("✓ Has at least one required permission")

    await provider.close()


if __name__ == "__main__":
    asyncio.run(main())

Run it:

uv run permissions.py

Expected output:

User: alice@example.com
Permissions: ['documents:read', 'documents:write']

--- Single Permission ---
Can read docs: True
Can delete docs: False

--- All Permissions (AND) ---
✓ Has full document access

--- Any Permission (OR) ---
✓ Has at least one required permission

Roles vs Permissions

Use Case	Check
Admin panel access	Role (has_standard_role)
Specific action	Permission (has_permission)
Feature flag	Permission
Billing access	Role or Permission

Common Pitfalls

Pitfall	Solution
Using permissions for everything	Use roles for coarse access, permissions for fine-grained
Not validating token first	Always validate session before checking permissions
Wrong status code	Permission denied is 403, invalid token is 401

---

Found an issue on this page? Report it on our feedback form.