Pattern Based Access Controller
Access control systems are decision engines.
They determine:
- Who can access what
- Under what conditions
- Based on which attributes
- With what priority
This project teaches you how to design:
- Declarative branching systems
- Multi-dimensional rule evaluation
- Pattern-driven permission engines
- Scalable access architectures
You are not writing if statements.
You are designing authorization logic.
Concept Overview
While watching, focus on:
- Role-based access control (RBAC)
- Multi-dimensional condition matching
- Declarative rule systems
- Deterministic evaluation
- Pattern matching semantics
Step 1 - Define the Problem
We want a system that evaluates access based on:
- User role
- Region
- Resource type
- Action requested
Example:
- Admin in EU → full access
- User in US → read only
- Guest → no write
- Suspended → no access
We must ensure:
- Deterministic resolution
- Clear priority
- No ambiguous overlap
- Extensible structure
Access control must be predictable and auditable.
Step 2 - Naive Conditional Design (Not Scalable)
if role == "admin" and region == "EU":
allow = True
elif role == "user" and action == "read":
allow = True
elif role == "guest" and action == "write":
allow = False
Problems:
- Branch explosion
- Hard to extend
- Hard to validate
- Order-dependent
- Poor readability
We need structure.
Step 3 - Model Access Rules as Data
Use tuple-based rule mapping.
ACCESS_RULES = {
("admin", "EU", "any", "any"): True,
("user", "US", "document", "read"): True,
("guest", "any", "any", "write"): False,
}
We allow wildcard "any" to generalize patterns.
Step 4 - Implement Pattern Matching Logic
def match_pattern(value, pattern):
return pattern == "any" or value == pattern
Core evaluation engine:
def check_access(role, region, resource, action):
for rule, permission in ACCESS_RULES.items():
rule_role, rule_region, rule_resource, rule_action = rule
if (
match_pattern(role, rule_role) and
match_pattern(region, rule_region) and
match_pattern(resource, rule_resource) and
match_pattern(action, rule_action)
):
return permission
return False
Now we have declarative control flow.
Step 5 - Usage Example
result = check_access("user", "US", "document", "read")
print(result)
Deterministic.
Step 6 - Introduce Priority Ordering
If multiple rules match, which wins?
Define ordered rules:
ACCESS_RULES = [
(("suspended", "any", "any", "any"), False),
(("admin", "EU", "any", "any"), True),
(("user", "US", "document", "read"), True),
(("guest", "any", "any", "write"), False),
]
Evaluation:
def check_access(role, region, resource, action):
for rule, permission in ACCESS_RULES:
rule_role, rule_region, rule_resource, rule_action = rule
if (
match_pattern(role, rule_role) and
match_pattern(region, rule_region) and
match_pattern(resource, rule_resource) and
match_pattern(action, rule_action)
):
return permission
return False
Priority is now explicit.
Access rules must always be evaluated in deterministic order.
Step 7 - Structural Pattern Matching (Modern Python)
Python 3.10+ allows:
def check_access(role, region, resource, action):
match (role, region, resource, action):
case ("suspended", _, _, _):
return False
case ("admin", "EU", _, _):
return True
case ("user", "US", "document", "read"):
return True
case ("guest", _, _, "write"):
return False
case _:
return False
This is declarative and readable.
No nested conditionals.
Pattern matching reduces nested boolean complexity.
Step 8 - Multi-Dimensional Rule Expansion
We add more dimensions:
- Subscription level
- Time-based access
- Environment (prod/dev)
Context-based evaluation:
def check_access(context):
match context:
case {"role": "admin", "region": "EU"}:
return True
case {"role": "user", "action": "read"}:
return True
case {"status": "suspended"}:
return False
case _:
return False
Now rules operate on dictionary patterns.
Step 9 - Add Conflict Detection
If two rules overlap:
Example:
- ("admin", "any", "any", "any") → True
- ("admin", "EU", "document", "delete") → False
Which wins?
You must define priority explicitly.
Never rely on accidental ordering.
Step 10 - Add Rule Validation
We can detect overlapping patterns via test sampling.
def detect_conflicts(rules, test_cases):
conflicts = []
for case in test_cases:
matches = []
for index, (rule, permission) in enumerate(rules):
if (
match_pattern(case["role"], rule[0]) and
match_pattern(case["region"], rule[1]) and
match_pattern(case["resource"], rule[2]) and
match_pattern(case["action"], rule[3])
):
matches.append((index, permission))
if len(matches) > 1:
conflicts.append((case, matches))
return conflicts
Access systems must be validated.
Step 11 - Add Logging for Auditability
def check_access(role, region, resource, action):
for rule, permission in ACCESS_RULES:
if matches(rule):
print(f"Matched rule: {rule}")
return permission
print("No rule matched.")
return False
Audit trails are critical in real systems.
Step 12 - Add Deny-by-Default Policy
Always default to deny.
Never default to allow.
return False
Secure-by-default architecture.
Step 13 - Complexity Awareness
As rules increase:
- Overlaps increase
- Priority confusion increases
- Testing combinations explode
- Maintenance cost rises
Declarative pattern systems scale better than nested conditionals.
Step 14 - Testing Strategy
Test combinations:
- All roles
- All regions
- All actions
- Edge conditions
- Suspended override
- Wildcard resolution
Access systems require exhaustive coverage.
Common Mistakes
❌ Deep nested if-elif chains
❌ Implicit priority
❌ No default deny
❌ Overlapping ambiguous rules
❌ Hardcoded logic scattered in code
❌ No audit logging
What You Learned
This project teaches:
- Declarative rule modeling
- Pattern matching
- Multi-dimensional branching
- Deterministic priority ordering
- Conflict detection
- Secure default design
- Scalable access architecture
You moved from:
Conditional logic
→ Rule systems
→ Decision trees
→ Declarative control flow
This is advanced control-flow engineering.
Final Insight
Access control is not about checking a condition.
It is about:
- Modeling permissions
- Designing deterministic systems
- Preventing ambiguity
- Anticipating scale
- Enforcing security
Control flow defines system authority.
And now you know how to architect it.