AccessControl
RBAC + ABAC
Hierarchical role inheritance with deny-overrides, combined with attribute-based rules — both classic models in one engine.
Enforced Ownership & Groups
own verifies the record truly belongs to the requester (set ownerField / owner once). Grant to role groups & resource categories for bounded bulk access.
Custom Actions & Gates
Go beyond CRUD with .action() / .do(), and add mandatory require() gates that can only restrict access.
Conditionals & Async Checks
Attach conditions with .where() — comparisons, in, cidr, time windows (string or JSON). Resolve custom / async logic via grantedAsync.
Hardened & Fail-Closed
tryCan() never throws; prototype-pollution-safe names; opt-in, ReDoS-guarded regex; redacted errors with err.code. 100% coverage, mutation-tested & fuzzed. — Security
Events & Audits
An access event on every decision — granted and denied, with a reason — plus change and error hooks for a full audit trail.
import { AccessControl } from 'accesscontrol';
const ac = new AccessControl({}, { policy: { ownerField: 'ownerId' } });
ac.grant('user').readOwn('profile', ['*', '!password']);ac.grant('editor').where('$.article.status == "draft"').action('publish', 'article');
ac.can('user', { user: { id: 7 }, profile: { ownerId: 7 } }).readOwn('profile').granted; // trueSee Related Projects
Section titled “See Related Projects”The official NestJS integration — fluent CRUD decorators, a fail‑closed guard, forRootAsync for DB‑driven grants, and attribute filtering on the way out. See the guide.
Read, modify, and filter JavaScript objects and arrays with notation strings or glob patterns. Powers AccessControl’s attribute filtering.
Builds a nested, typed configuration object from flat config items, with templating and ABAC filtering. Built on Notation.
© 2026, @onury • MIT License