Role-Based Access Control Libraries

Casbin is an authorization library designed to manage application access control and permissions through a configurable model-based engine. It serves as a centralized system for verifying whether a user has permission to perform specific actions on a resource. The engine supports multiple access control models, including Role-Based Access Control, Attribute-Based Access Control, and Access Control Lists. It allows for the definition of role hierarchies and the evaluation of user, resource, and environment attributes to make access decisions. The library decouples authorization logic from data storage via a policy persistence layer, enabling the saving and loading of rules from external databases or files. It supports dynamic policy management to update permissions and role mappings at runtime.

Casbin is an authorization library that provides a model-based engine for enforcing access control across diverse application environments. It decouples authorization logic from application code by using a configuration-driven approach, allowing developers to define access rules and evaluation logic independently. The system supports a wide range of access control models, including role-based, attribute-based, and relationship-based patterns, which are evaluated at runtime to determine if a subject is permitted to perform an action on a resource. The project distinguishes itself through a highly modular architecture that includes adapter-based storage abstraction, enabling the engine to connect to various persistent backends for policy management. It supports complex, context-aware policy execution by allowing developers to inject custom functions for domain-specific matching and validation. Furthermore, the engine handles hierarchical role resolution and provides mechanisms for aggregating multiple policy outcomes, such as allow-override or deny-override, to resolve conflicting permissions. The platform covers a broad capability surface, including middleware integration for web frameworks, API gateways, and service mesh architectures. It offers extensive tooling for policy administration, observability, and performance optimization, such as result caching and asynchronous execution. The system also supports multi-tenancy through domain-aware authorization and provides programmatic interfaces for automating policy updates and lifecycle management. The library is designed for integration into existing stacks, offering middleware components and support for distributed deployments to ensure consistent authorization state across multiple service instances.

This is a role-based access control system for Laravel applications that manages user permissions and roles within a database. It provides a database permissions manager to assign specific abilities to users and roles, utilizing authorization gates to restrict access to routes and interface elements. The project features a wildcard permission system that uses pattern matching to grant broad access across multiple related permissions. It also supports team-scoped access control, allowing users to maintain different roles and permission levels across separate organizational contexts or teams. The package includes middleware for route guarding, a caching system to reduce database query overhead, and a set of command-line tools for automating the administration of roles and permissions. It further provides mechanisms for view-level verification and event-driven cache invalidation.

OpenFGA is a fine-grained authorization server and policy decision point that implements relationship-based access control. It serves as a centralized authorization service for evaluating access requests and managing relationship tuples across distributed microservices and multi-tenant environments. The engine combines relationship graphs with attribute-based access control, using the Common Expression Language to evaluate dynamic runtime attributes and conditional access rules. It handles complex hierarchies and nested permissions by traversing chains of associations and parent-child links to determine if a principal is authorized to perform a specific action. The system supports a wide range of operational capabilities, including authorization as code via versioned schema models, batch permission processing, and multi-backend persistence with support for PostgreSQL, MySQL, and SQLite. It provides tools for model visualization, automated deployment through continuous integration pipelines, and comprehensive observability via OpenTelemetry. The server can be installed and configured across Docker and Kubernetes environments using Helm charts.

Hanko is an open-source identity provider and customer identity and access management system. It serves as a passkey authentication service and an OAuth and SAML SSO gateway, allowing applications to authenticate users and issue tokens via standard identity protocols. The project distinguishes itself through a strong focus on passwordless access using WebAuthn-based passkeys and email-based passcodes. It provides framework-agnostic authentication interfaces as customizable web components that can be embedded directly into web applications to handle login, registration, and profile management. The platform covers a broad range of identity capabilities, including multi-factor authentication, social login integrations, and enterprise single sign-on. It also provides comprehensive session management, role-based and attribute-based access control, and tools for synchronizing identity data via webhooks and external database integrations. The service is integrated into applications through client and server-side SDKs and supports custom branded domain mapping.

ERPNext is a comprehensive enterprise resource planning suite designed to integrate core organizational functions, including accounting, inventory, human resources, and project management, into a single unified platform. It operates as a metadata-driven business application, where data structures and application logic are defined through configuration rather than hard-coded programming to facilitate rapid customization. The system distinguishes itself through a robust security and governance framework that enforces granular, role-based access control across all document operations. It features a dedicated data privacy layer that performs field-level masking, intercepting and transforming sensitive information at the application level based on user authorization. This ensures that private data remains protected while maintaining full operational functionality for authorized staff. The platform manages business processes through an event-driven workflow engine that triggers automated tasks and notifications based on document status changes. Its document-oriented persistence layer handles relationships and validation logic centrally, while server-side hooks allow for the injection of custom logic into the document lifecycle. The system is documented and distributed as a configurable framework for managing complex organizational data.

This project is a modular authentication framework designed to manage user identity, session tracking, and access control across web applications. It provides a unified solution for handling email-based credentials and social identity federation, allowing developers to implement secure login and registration flows that maintain consistent user states across client and server environments. The system utilizes a plugin-based architecture and middleware-driven request interception to allow for the extension of core authentication logic. It features type-safe schema generation, which derives database structures and API contracts directly from configuration, and employs a database-agnostic adapter pattern to interface with various storage backends. These capabilities enable the creation of custom security logic and database schemas that adapt to specific application requirements. To support development, the framework includes integrated tooling that provides context-aware knowledge to coding assistants. By configuring agent skills and connecting documentation through standardized protocols, developers can automate the implementation of authentication patterns while ensuring adherence to established conventions and security standards.