// the find
onury/accesscontrol
Role and Attribute based Access Control for Node.js
A Node.js library combining RBAC and attribute-based access control. You define roles with CRUD permissions on named resources, optionally scoped to 'own' vs 'any', and filter response data through glob-pattern attribute rules. Good fit for Express APIs where you want permission logic centralized rather than scattered across route handlers.
The own/any possession distinction is genuinely useful — it handles the 'user can update their own record but not others' case without you bolting that logic onto every endpoint. Glob negation on attributes (`['*', '!record.id']`) is clean and the `permission.filter(data)` call makes stripping fields from responses a one-liner. Role inheritance is reference-based so grant order doesn't matter, which avoids a whole class of initialization bugs. Grants can be loaded as a flat array from a DB row, so storing and hydrating permissions at startup is straightforward.
The repo badge says 'maintained: yes/2019' and the last non-trivial commit is years old — this is effectively unmaintained, and the david-dm dependency badge is broken. ABAC support stops at resource attributes; there is no support for environmental or subject attributes (time-of-day, IP range, resource ownership checked at query time), so calling this a real ABAC implementation overstates it. The 'own' possession check is explicitly not enforced by the library — you have to wire up the actual ownership check yourself, which is where most authorization bugs live. No async grant resolution means permissions must all be in memory at startup, which gets awkward in multi-tenant systems where role definitions vary per tenant.