Skip to content

AccessControl

Role & Attribute based Access Control for Node.js — a friendly, chainable API with a real policy engine underneath.

RBAC + ABAC

Hierarchical role inheritance with deny-overrides, combined with attribute-based rules — both classic models in one engine.

Enforced Ownership & Groups

own verifies the record truly belongs to the requester (set ownerField / owner once). Grant to role groups & resource categories for bounded bulk access.

Custom Actions & Gates

Go beyond CRUD with .action() / .do(), and add mandatory require() gates that can only restrict access.

Conditionals & Async Checks

Attach conditions with .where() — comparisons, in, cidr, time windows (string or JSON). Resolve custom / async logic via grantedAsync.

Hardened & Fail-Closed

tryCan() never throws; prototype-pollution-safe names; opt-in, ReDoS-guarded regex; redacted errors with err.code. 100% coverage, mutation-tested & fuzzed. — Security

Events & Audits

An access event on every decision — granted and denied, with a reason — plus change and error hooks for a full audit trail.

import { AccessControl } from 'accesscontrol';
const ac = new AccessControl({}, { policy: { ownerField: 'ownerId' } });
ac.grant('user').readOwn('profile', ['*', '!password']);
ac.grant('editor').where('$.article.status == "draft"').action('publish', 'article');
ac.can('user', { user: { id: 7 }, profile: { ownerId: 7 } }).readOwn('profile').granted; // true

The official NestJS integration — fluent CRUD decorators, a fail‑closed guard, forRootAsync for DB‑driven grants, and attribute filtering on the way out. See the guide.

Read, modify, and filter JavaScript objects and arrays with notation strings or glob patterns. Powers AccessControl’s attribute filtering.

Builds a nested, typed configuration object from flat config items, with templating and ABAC filtering. Built on Notation.

We love and support these projects.