Roles and permissions system for Nodejs

roles_invesitgation.md

ACL / Roles + Permissions

https://github.com/djvirgen/virgen-acl Simple and elegant, create your own checks. No middleware?

https://github.com/OptimalBits/node_acl Use as middleware, create your own roles and access. Great choice.

https://github.com/tschaub/authorized Similar to connect roles... but a bit more robust? you can create roles and action, and associate many roles with that action

https://github.com/scottkf/ability-js Like canCan for rails. This is a traditional controller / function type permission system. May be too abstract.

https://github.com/dresende/node-roles More traditional setRole() hasRole() based checking. Last activity 2 years ago.

https://github.com/carlos8f/node-relations Natural language style roles. Looks very promising and is in active development

https://github.com/ForbesLindesay/connect-roles Simple and closer to action / natural language based. Requires writing your own checks for each.

https://github.com/ajlopez/SimplePermissions Maybe too simple? Makes sense for assigning roles but then its hard to check against roles!

https://npmjs.org/package/entitlement Not ideal but here for reference sake.

Mongoose Field Access Control

https://github.com/codedoctor/mongoose-plugins-accessible-by Set access per field of mongoose Schema. Not supported or maintained, and noted as not a perfect fit in all cases... but worth considering as a simple way to control access to fields.

Hi, Great compilation.
You might want to correct a typo on the gist's name (roles_invesitgation.md)

Thanks for a compiled list of somethings out there.

What about https://github.com/tenodi/permission ?

Awesome! 🤘

Thanks for the collection!

Thanks a lot !!!

Thanks man, very usefull... \o

current popularity rank (based on npmjs.com dowloads count)

1. acl
2. connect-roles
3. authorized
4. virgen-acl
5. permission
6. ability
7. simplepermissions
8. entitlement

Checkout https://github.com/kieronwiltshire/letu.git

Here is my approach https://github.com/onury/accesscontrol
Example:

var permission = ac.can(role).createOwn(resource);
if (permission.granted) {
    // do stuff...
} else {
    console.log('Forbidden');
}

Thx so much!

Shameless plug! : https://github.com/AGhost-7/o-is/tree/master/packages/access-mate

Above is an attribute-based access control library. It is designed to be as flexible as possible by using conditions instead of roles. One can implement RBAC or whatever they want using conditions. Module also supports field-level access control that isn't supported by most of the modules listed here.

If you wish to enhance the list, we wrote this with my team: https://github.com/bluebirds-blue-jay/access-control

Here is the real cancan for node.js: https://github.com/vadimdemedes/cancan

@SylvainEstevez how do I use Mongodb store for https://github.com/bluebirds-blue-jay/access-control ? Thanks

I'm surprised https://github.com/stalniy/casl isn't on the list

I'm surprised https://github.com/stalniy/casl isn't on the list

exactly!

awesone. thank you guys

Nobody talks about https://casbin.org/?

I'm surprised https://github.com/stalniy/casl isn't on the list

@facultymatt
Yes , along with casl I think accesscontrol should also be on list.

List of top trends.
https://www.npmtrends.com/accesscontrol-vs-acl-vs-express-acl-vs-express-authorization-vs-node-authorization-vs-@casl/mongoose-vs-@casl/ability

Does anybody knows a way to have multiorganization roles permissions? I need to create permisssions dynamically depending on customers organizations, which means, I have system permissions, I have each company permissions and the name of the role and it's permissions is not unique, which means a company A could have a Role A and the company B could have Role A, then Role A of company A and Role A of Company B have the same name but different actions associated. So the customers in Company A access their own permissions and Company B access their own permissions.

@hackerunet you can try Casbin's RBAC model with domains: https://casbin.org/docs/en/rbac-with-domains