Stats

Actions

Tags

Help us improve

Share bugs, ideas, or general feedback.

access-control-rbac | access-control-rbac

Skill

access-control-rbac

From access-control-rbac

Implements Node.js RBAC with permissions, role inheritance, Express middleware; Python ABAC patterns and access control models. For admin dashboards, multi-tenant apps, authorization.

$

npx claudepluginhub secondsky/claude-skills --plugin access-control-rbac

Popularity

Parent stars

149

Parent forks

23

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/access-control-rbac:access-control-rbac

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Implement secure access control systems with fine-grained permissions using RBAC, ABAC, or hybrid approaches.

Supporting Files

references/java-spring-security.mdreferences/python-abac.md

SKILL.md

163 lines · ~1.3k tokens

Similar Skills

rbac

18

Guides selection and implementation of RBAC, ABAC, ReBAC authorization models with role hierarchies, policy engines, resource access checks, and audit logging.

RBAC Design

14

Guides designing role-based access control (RBAC) systems with permission modeling, role definitions, and resource-level checks to prevent authorization failures.

1 file

access-control-knowledge

73

Provides ACL, RBAC, ABAC, ReBAC models, multi-tenancy patterns, and PHP implementations (Symfony Voters, Laravel Gates) for security audits and code generation.

2 files

Stats

LanguageTypeScript

Parent stars149

Parent forks23

MaintenanceGood

Last CommitApr 2, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

role-inheritance

Help us improve

Share bugs, ideas, or general feedback.

Access Control & RBAC

Implement secure access control systems with fine-grained permissions using RBAC, ABAC, or hybrid approaches.

Access Control Models

Model	Description	Best For
RBAC	Role-based - users assigned to roles with permissions	Most applications
ABAC	Attribute-based - policies evaluate user/resource attributes	Complex rules
MAC	Mandatory - system-enforced classification levels	Government/military
DAC	Discretionary - resource owners control access	File systems
ReBAC	Relationship-based - access via entity relationships	Social apps

Node.js RBAC Implementation

class Permission {
  constructor(resource, action) {
    this.resource = resource;
    this.action = action;
  }

  matches(resource, action) {
    return (this.resource === '*' || this.resource === resource) &&
           (this.action === '*' || this.action === action);
  }
}

class Role {
  constructor(name, permissions = [], parent = null) {
    this.name = name;
    this.permissions = permissions;
    this.parent = parent;
  }

  hasPermission(resource, action) {
    if (this.permissions.some(p => p.matches(resource, action))) return true;
    return this.parent?.hasPermission(resource, action) ?? false;
  }
}

class RBACSystem {
  constructor() {
    this.roles = new Map();
    this.userRoles = new Map();
  }

  createRole(name, permissions = [], parentRole = null) {
    const parent = parentRole ? this.roles.get(parentRole) : null;
    this.roles.set(name, new Role(name, permissions, parent));
  }

  assignRole(userId, roleName) {
    const userRoles = this.userRoles.get(userId) || [];
    userRoles.push(this.roles.get(roleName));
    this.userRoles.set(userId, userRoles);
  }

  can(userId, resource, action) {
    const roles = this.userRoles.get(userId) || [];
    return roles.some(role => role.hasPermission(resource, action));
  }
}

// Express middleware
const requirePermission = (resource, action) => (req, res, next) => {
  if (!rbac.can(req.user.id, resource, action)) {
    return res.status(403).json({ error: 'Forbidden' });
  }
  next();
};

// Setup default roles
const rbac = new RBACSystem();
rbac.createRole('viewer', [new Permission('*', 'read')]);
rbac.createRole('editor', [new Permission('*', 'write')], 'viewer');
rbac.createRole('admin', [new Permission('*', '*')], 'editor');

Python ABAC Pattern

class Policy:
    def __init__(self, name, effect, resource, action, conditions):
        self.name = name
        self.effect = effect  # 'allow' or 'deny'
        self.resource = resource
        self.action = action
        self.conditions = conditions

    def matches(self, context):
        if self.resource != "*" and self.resource != context.get("resource"):
            return False
        if self.action != "*" and self.action != context.get("action"):
            return False
        return True

    def evaluate(self, context):
        return all(cond(context) for cond in self.conditions)


class ABACEngine:
    def __init__(self):
        self.policies = []

    def add_policy(self, policy):
        self.policies.append(policy)

    def check_access(self, context):
        for policy in self.policies:
            if policy.matches(context) and policy.evaluate(context):
                return policy.effect == 'allow'
        return False  # Deny by default


# Condition functions
def is_resource_owner(ctx):
    return ctx.get("user_id") == ctx.get("resource_owner_id")

def is_within_business_hours(ctx):
    from datetime import datetime
    return 9 <= datetime.now().hour < 18

See references/python-abac.md for complete implementation with Flask integration.

Java Spring Security

See references/java-spring-security.md for enterprise implementation with:

Spring Security configuration
Method-level security with @PreAuthorize
Custom permission service
Custom security expressions

Best Practices

Do:

Apply least privilege principle
Use role hierarchies to reduce duplication
Audit all access changes
Review permissions quarterly
Cache permission checks for performance
Separate authentication from authorization

Don't:

Hardcode permission checks
Allow permission creep without review
Skip audit logging
Use overly broad wildcards

References