currently I am looking implementing access control in Django. I've read about the built-in permission, but it does not takes care per object basis. For example, I want permissions like "Only the creator can delete his own items". So I read about django-guardian. Then again, after thinking about it, it may be difficult to manage and check if constraints ever change.

I look at the next popular permission management app called django-rules. This seems to suit what I require. However, I believe django-rules requires a model instance to be involved (hence object level) i.e if I require a simple view like "member's area", it does not perform this function.

This has led me to think about using both the contrib's permission for the latter scenarios and django-rules for the former. My question here, is how easy will it be to manage both permission frameworks?. For instance, I have different groups of users. I am worried about overlapping scenarios whereby the admin added a particular permission in the admin system (to allow access to a view), thinking that should suffice but turns out to be bounded by constraints set by the rules.

I believe this is a common case and I humbly seek your advices and recommendations based on your experiences.

If you're doing this through Django admin site, you can override methods such as has_delete_permission(). These get request and object as arguments, so you can use it to set up rules like "User X can delete only his own objects".