// the find
seeden/rbac
Hierarchical Role Based Access Control for NodeJS
A hierarchical RBAC library for Node.js where roles can inherit permissions from other roles. The core idea is that 'admin' can be granted the 'user' role, so it inherits all user permissions automatically. Straightforward to set up for small apps with static permission structures.
Hierarchical inheritance works cleanly — granting a role to another role propagates all permissions without you manually duplicating them. The storage abstraction is sensible: in-memory by default, but you can swap in Redis or Postgres by implementing six well-defined methods. The API surface is tiny, which means there's almost nothing to misuse. Still getting commits in 2026 despite being a small utility library.
The entire permission structure is defined at init time, so dynamic permissions (e.g., resource-level ownership checks like 'can edit *their own* article') are out of scope — you'd need to layer that yourself. No built-in persistence adapters ship with it, so connecting to MongoDB or Postgres means writing your storage class from scratch with zero examples in the repo. The README is the extent of the documentation; there's no explanation of the internal resolution algorithm, which matters if you hit edge cases with deep inheritance chains. 1003 stars over what appears to be several years suggests it never found serious adoption outside toy projects.