Users and Groups

Users and Groups is always stored in the Django database. This is a requirement so that Permissions can relate to them.


Provided by Django with the django.contrib.auth.models.User model.


Provided by Django with the django.contrib.auth.models.Group model.

Any permission can be assigned to either users, groups, or both. This includes both Model-level and Object-level permissions.

Viewing Users and Groups via a UI

The built-in django-admin site located at /admin/ provides views into User, Group, and group membership data.


Any user attempting to access the django-admin site will need to have their is_staff user attribute set to True. The built-in admin user will have is_staff=True by default.

Model-level Permissions via a UI

The django-admin site also provides views into the Permissions that Users and Groups have. Additionally you can add and remove Permissions here as well.

Model-level permissions are not associated with a specific instance so they can be managed on the User or Group page itself. Object-level permissions are associated with specific instances, so those can be managed on the django-admin page corresponding with the object itself.

Enabling Object Views in django-admin

The django-admin site by default does not show objects until the plugin writer has specifically enabled them. Giving users the ability to manage object-level permissions is the primary reason to enable an object in django-admin instead of allowing API-only access or the DRF browseable interface for viewing Pulp data.

django-guardian provides the GuardedModelAdmin and GuardedModelAdminMixin objects which provide the ability to manage object-level permissions for objects. Use those when enabling your object in django-admin to provide users with the ability to manage object-level permissions.


django-admin objects need to be read-only except for the object-level permissions themselves. This is because Pulp uses DRF serializers for data validation and django-admin bypasses that.

It’s recommended to declare readonly_fields with all model field names to ensure the data is readable but not editable.

Object-level Permissions via a UI

If plugin writers have enabled the object in the djano-admin site as described above, users can view, add, and remove object-level permissions in the django-admin site as well.

When viewing a specific object instance, e.g. a specific Task or FileRemote instance in django-admin, an icon on the top-right will say OBJECT PERMISSIONS. Clicking this will take the user to a page where object-level permissions can be viewed, added, changed, and deleted. If this link is missing, ensure you’ve enabled the Task as a subclass of GuardedModelAdmin.