Thanks! This “weekend project” was just an exercise to check whether something like that can be made. I was mostly intrigued by implementing rules (the rows filter) into RBAC model, and how to make that as easy and intuitive as possible.
I guess any kind of RBAC library could be used. I chose miracle-acl because it is sleek and “a pleasure to use”, as described here --> there you can find a list of interesting python libraries in this field. I also considered policy (it seems that it uses a file to set up the grants??), py-fortress (requires an LDAP server), balrog-rbac (interesting and similar to miracle, don’t like its name 
) and yosaipy2 (too heavy to grasp it so quickly, and it includes many things - like two-factor authentication - that are probably not needed in Anvil).
If you check the miracle-acl code, it’s not complicated, it just checks whether a permission exists for the (role, resource) pair, nothing else - it’s precisely what I needed.
I guess that UNIX-style permission system (or DAC, please see this thread) could be easily made with a special numeric field in secured data tables where you could save coded information about permissions (as a sum of powers of two, the rights for owner, group and anybody else) and apply binary checks. And then you also need a list of user groups (each user belongs to one or more groups). I don’t like this approach since its assumption is that every resource has its owner, and this is usually not true for web applications - but it may suite your needs just as well. RBAC, on the other hand, has troubles when resources to guard are individual rows in data tables - binary operations in DAC are usually faster than complex filtering.