Permit
@vielzeug/permit is a lightweight role-based access control (RBAC) engine for role/resource/action authorization checks in TypeScript.
Installation
sh
pnpm add @vielzeug/permitsh
npm install @vielzeug/permitsh
yarn add @vielzeug/permitQuick Start
ts
import { ANONYMOUS, WILDCARD, createPermit } from '@vielzeug/permit';
const permit = createPermit();
permit
.grant('viewer', WILDCARD, 'read')
.extend('editor', 'viewer')
.define('editor', 'posts', {
write: (user, data) => user.id === data?.authorId,
})
.extend('admin', 'editor')
.grant('admin', WILDCARD, 'delete')
.grant(ANONYMOUS, 'posts', 'read');
const user = { id: 'u1', roles: ['editor'] };
permit.check(user, 'posts', 'read');
permit.check(user, 'posts', 'write', { authorId: 'u1' });
permit.checkAny(user, 'posts', ['write', 'delete']);Why Permit?
Hand-rolling RBAC logic leads to scattered if checks and duplicated role logic across your codebase:
ts
// Before — scattered manual checks
function canEdit(user, post) {
if (user.roles.includes('admin')) return true;
if (user.roles.includes('editor') && post.authorId === user.id) return true;
return false;
}
// After — centralized with Permit
import { createPermit } from '@vielzeug/permit';
const permit = createPermit();
permit.define('admin', '*', { update: true });
permit.define('editor', 'posts', { update: (user, data) => user.id === data?.authorId });
permit.check(user, 'posts', 'update', post);| Feature | Permit | CASL | AccessControl |
|---|---|---|---|
| Bundle size | 0.1 KB | ~10 kB | ~10 kB |
| Dynamic rules | ✅ Functions | ✅ | ❌ |
| Role inheritance | ✅ Built-in | Manual | ✅ |
| Wildcard roles | ✅ | ✅ | ✅ |
| Anonymous users | ✅ Built-in | Manual | Manual |
| TypeScript | ✅ Generics | ✅ | ⚠️ |
| Zero dependencies | ✅ | ❌ | ❌ |
Use Permit when you need a lightweight, typesafe RBAC for moderate complexity (role/resource/action) without Mongoose or event-based architectures.
Consider alternatives when you need attribute-based access control (ABAC), complex policy inheritance chains, or audit logging built in.
Features
- Role/resource/action permission checks
- Dynamic permission functions
(user, data?) => boolean - Role inheritance and parent unbinding (
extend,unextend) - Wildcard role/resource/action support (
WILDCARD) - Anonymous-role support (
ANONYMOUS) - Bulk checks (
checkAll,checkAny) and user-bound guards (for(user)) - Permission state lifecycle (
remove,snapshot,restore,clear) - Strict-mode and wildcard-fallback options
- Zero dependencies — 0.1 KB gzipped
Compatibility
| Environment | Support |
|---|---|
| Browser | ✅ |
| Node.js | ✅ |
| SSR | ✅ |
| Deno | ✅ |