// the find
nestjsx/nest-access-control
Role and Attribute based Access Control for Nestjs 🔐
A NestJS module wrapping the `accesscontrol` library to add RBAC/ABAC via decorators and a built-in guard. Targets NestJS backends that need role hierarchies and per-attribute resource permissions without writing the guard boilerplate themselves.
The decorator-first API (`@UseRoles`, `@UserRoles`, `@InjectRolesBuilder`) fits naturally into NestJS controller patterns. Role inheritance via `.extend()` means you don't repeat grants across similar roles. `forRootAsync` with factory injection lets you load roles from a database at startup rather than hardcoding them. Grants are kept in memory so every permission check is a fast in-process lookup with no DB round-trip.
The underlying `accesscontrol` library it wraps hasn't had a meaningful release in years and the wrapper is similarly stagnant — you're betting on a dependency that's effectively unmaintained. The `grants.controller.ts` file exposes all defined roles over HTTP by default, which is a data-leak footgun most teams won't notice until it's too late. Attribute-level filtering (hiding fields the role can't see) is supported by the library but completely unaddressed in the NestJS integration — you have to wire that yourself. No support for dynamic, per-request resource ownership checks beyond the coarse `own`/`any` split, so anything needing 'user can only edit their own rows' requires you to bypass the guard and check manually in the handler.