// the find
apache/casbin
Apache Casbin: an authorization library that supports access control models like ACL, RBAC, ABAC.
Casbin is a Go authorization library that lets you define access control models (ACL, RBAC, ABAC, and hybrids) in a config file, then enforce them with a single `Enforce()` call. The model definition is separate from policy storage, so you can swap backends without touching application code. It's aimed at Go services that need more than a simple role check but don't want to build their own policy engine.
The PERM model config is genuinely clever — you define request shape, policy shape, effect, and matchers in a .conf file, which means changing from RBAC to ABAC is a config edit, not a code rewrite. The adapter pattern for policy storage is well-thought-out: file, string, and database backends all implement the same interface, and there are community adapters for Postgres, Redis, MongoDB, and more. Multi-tenant RBAC with domains is a first-class feature, not bolted on — `GetRolesForUserInDomain` works correctly across tenant boundaries. Test coverage is extensive with dedicated test files per model type and benchmarks tracked across PRs.
The PERM config DSL is powerful but opaque — `govaluate` expressions in matchers fail silently in surprising ways (the README even warns that an array of length 1 will panic). Policy files are CSV by default, which works fine for demos but becomes a maintenance problem in production once you have hundreds of rules; the file adapter gives no diff/audit tooling. The `CachedEnforcer` and `SyncedEnforcer` exist as separate types rather than options, so you end up with a proliferation of enforcer variants that share no interface cleanly. ABAC attribute access via `resource.Owner`-style syntax is limited to struct fields — you can't call methods or hit an external store, which forces you to pre-hydrate objects before the enforce call.