Groups & Categories
Role groups and resource categories let you grant to many roles/resources
at once, bounded to a declared vocabulary — the safe alternative to a blanket
*.
Declare the Vocabulary
Section titled “Declare the Vocabulary”ac.setup({ roles: { admins: ['admin', 'moderator'], _: ['user'] }, resources: { media: ['photo', 'video'], _: ['profile'] }, actions: ['publish'] // declare custom actions for strict mode});Members become qualified group/member names (admins/admin, media/photo).
The reserved _ key lists ungrouped / uncategorized members. setup() is
additive — call it as many times as you like.
Bulk Grant to a Group / Category
Section titled “Bulk Grant to a Group / Category”Grant once to a group and/or category; members inherit dynamically at check time.
ac.grant('admins').readAny('media'); // group × category
ac.can('admins/admin').readAny('media/photo').granted; // trueac.can('admins/moderator').readAny('media/video').granted; // trueNames never collide across categories — media/photo and legal/photo are
distinct resources.
Introspection
Section titled “Introspection”ac.group('admins').getRoles(); // ['admins/admin', 'admins/moderator']ac.category('media').getResources(); // ['media/photo', 'media/video']ac.getGroups(); // ['admins'] ('_' excluded)ac.getCategories(); // ['media']ac.hasGroup('admins'); // trueac.hasCategory('media'); // trueMembership is declared once with setup() (additive —
call it again to add more). It feeds strict typo‑checks and the introspection
above; it does not itself grant access — a group/member inherits the
group’s grants by name (see above), independent of the roster. To change
access, use grant(group) / deny / removeRoles.
Removing
Section titled “Removing”ac.removeGroup('admins'); // members stop inheriting the group's grantsac.removeCategory('media'); // member resources stop inheriting category grants