home / skills / secondsky / claude-skills / access-control-rbac
This skill implements secure access control with RBAC, ABAC, and policies to simplify fine-grained authorization in multi-tenant apps.
npx playbooks add skill secondsky/claude-skills --skill access-control-rbacReview the files below or copy the command above to add this skill to your agents.
---
name: access-control-rbac
description: Role-based access control (RBAC) with permissions and policies. Use for admin dashboards, enterprise access, multi-tenant apps, fine-grained authorization, or encountering permission hierarchies, role inheritance, policy conflicts.
---
# Access Control & RBAC
Implement secure access control systems with fine-grained permissions using RBAC, ABAC, or hybrid approaches.
## Access Control Models
| Model | Description | Best For |
|-------|-------------|----------|
| RBAC | Role-based - users assigned to roles with permissions | Most applications |
| ABAC | Attribute-based - policies evaluate user/resource attributes | Complex rules |
| MAC | Mandatory - system-enforced classification levels | Government/military |
| DAC | Discretionary - resource owners control access | File systems |
| ReBAC | Relationship-based - access via entity relationships | Social apps |
## Node.js RBAC Implementation
```javascript
class Permission {
constructor(resource, action) {
this.resource = resource;
this.action = action;
}
matches(resource, action) {
return (this.resource === '*' || this.resource === resource) &&
(this.action === '*' || this.action === action);
}
}
class Role {
constructor(name, permissions = [], parent = null) {
this.name = name;
this.permissions = permissions;
this.parent = parent;
}
hasPermission(resource, action) {
if (this.permissions.some(p => p.matches(resource, action))) return true;
return this.parent?.hasPermission(resource, action) ?? false;
}
}
class RBACSystem {
constructor() {
this.roles = new Map();
this.userRoles = new Map();
}
createRole(name, permissions = [], parentRole = null) {
const parent = parentRole ? this.roles.get(parentRole) : null;
this.roles.set(name, new Role(name, permissions, parent));
}
assignRole(userId, roleName) {
const userRoles = this.userRoles.get(userId) || [];
userRoles.push(this.roles.get(roleName));
this.userRoles.set(userId, userRoles);
}
can(userId, resource, action) {
const roles = this.userRoles.get(userId) || [];
return roles.some(role => role.hasPermission(resource, action));
}
}
// Express middleware
const requirePermission = (resource, action) => (req, res, next) => {
if (!rbac.can(req.user.id, resource, action)) {
return res.status(403).json({ error: 'Forbidden' });
}
next();
};
// Setup default roles
const rbac = new RBACSystem();
rbac.createRole('viewer', [new Permission('*', 'read')]);
rbac.createRole('editor', [new Permission('*', 'write')], 'viewer');
rbac.createRole('admin', [new Permission('*', '*')], 'editor');
```
## Python ABAC Pattern
```python
class Policy:
def __init__(self, name, effect, resource, action, conditions):
self.name = name
self.effect = effect # 'allow' or 'deny'
self.resource = resource
self.action = action
self.conditions = conditions
def matches(self, context):
if self.resource != "*" and self.resource != context.get("resource"):
return False
if self.action != "*" and self.action != context.get("action"):
return False
return True
def evaluate(self, context):
return all(cond(context) for cond in self.conditions)
class ABACEngine:
def __init__(self):
self.policies = []
def add_policy(self, policy):
self.policies.append(policy)
def check_access(self, context):
for policy in self.policies:
if policy.matches(context) and policy.evaluate(context):
return policy.effect == 'allow'
return False # Deny by default
# Condition functions
def is_resource_owner(ctx):
return ctx.get("user_id") == ctx.get("resource_owner_id")
def is_within_business_hours(ctx):
from datetime import datetime
return 9 <= datetime.now().hour < 18
```
See [references/python-abac.md](references/python-abac.md) for complete implementation with Flask integration.
## Java Spring Security
See [references/java-spring-security.md](references/java-spring-security.md) for enterprise implementation with:
- Spring Security configuration
- Method-level security with `@PreAuthorize`
- Custom permission service
- Custom security expressions
## Best Practices
**Do:**
- Apply least privilege principle
- Use role hierarchies to reduce duplication
- Audit all access changes
- Review permissions quarterly
- Cache permission checks for performance
- Separate authentication from authorization
**Don't:**
- Hardcode permission checks
- Allow permission creep without review
- Skip audit logging
- Use overly broad wildcards
## References
- [NIST RBAC Model](https://csrc.nist.gov/projects/role-based-access-control)
- [OWASP Access Control Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html)
- [AWS IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
This skill implements role-based access control (RBAC) with support for permissions, role hierarchies, and policy-driven checks. It includes patterns for RBAC in TypeScript/Node, ABAC examples in Python, and guidance for enterprise integrations. Use it to build consistent, auditable authorization across admin dashboards, multi-tenant apps, and APIs.
The core RBAC engine defines Permission and Role objects, where roles can inherit permissions from parent roles. A central RBACSystem maps users to roles and evaluates whether any assigned role grants a requested resource/action pair. For more complex scenarios the skill shows an ABAC-style policy engine that evaluates contextual conditions and effects, enabling attribute-based rules like ownership or business hours. Example middleware and integration points demonstrate enforcing checks in Express, Flask, or Spring Security.
How do I handle conflicts between allow and deny policies?
Use a clear policy resolution strategy: deny-by-default and explicit deny should take precedence. Evaluate deny policies before allows or assign higher priority to denial rules.
Can I mix RBAC and ABAC?
Yes. Use RBAC for coarse-grained role assignments and ABAC policies for contextual exceptions or refined rules such as ownership, time windows, or resource attributes.