AccessControl

Role & Attribute based Access Control for Node.js — a friendly, chainable API with a real policy engine underneath.

Get Started What's New in v3 View on GitHub

RBAC + ABAC

Hierarchical role inheritance with deny-overrides, combined with attribute-based rules — both classic models in one engine.

Enforced Ownership & Groups

own verifies the record truly belongs to the requester (set ownerField / owner once). Grant to role groups & resource categories for bounded bulk access.

Custom Actions & Gates

Go beyond CRUD with .action() / .do(), and add mandatory require() gates that can only restrict access.

Conditionals & Async Checks

Attach conditions with .where() — comparisons, in, cidr, time windows (string or JSON). Resolve custom / async logic via grantedAsync.

Hardened & Fail-Closed

tryCan() never throws; prototype-pollution-safe names; opt-in, ReDoS-guarded regex; redacted errors with err.code. 100% coverage, mutation-tested & fuzzed. — Security

Events & Audits

An access event on every decision — granted and denied, with a reason — plus change and error hooks for a full audit trail.

import { AccessControl } from 'accesscontrol';

const ac = new AccessControl({}, { policy: { ownerField: 'ownerId' } });

ac.grant('user').readOwn('profile', ['*', '!password']);
ac.grant('editor').where('$.article.status == draft').action('publish', 'article');

ac.can('user', { user: { id: 7 }, profile: { ownerId: 7 } }).readOwn('profile').granted; // true

◆

Notation

Read, modify, and filter JavaScript objects and arrays with notation strings or glob patterns. Powers AccessControl’s attribute filtering.

◆

Configuard

Builds a nested, typed configuration object from flat config items, with templating and ABAC filtering. Built on Notation.

We love and support these projects.