casbin

Casbin is an open-source authorization library that handles the question "is this user allowed to do this action on this resource?" It supports several well-established access control patterns and lets you choose and configure the one that fits your application, without writing the permission logic from scratch.

The three main patterns it supports are ACL (Access Control List — a simple list of who can do what), RBAC (Role-Based Access Control — users are assigned roles like "admin" or "editor," and roles define permissions), and ABAC (Attribute-Based Access Control — permissions depend on properties of the user, resource, or environment). These can also be combined: for example, RBAC roles with domain-specific permissions for multi-tenant applications, or deny-override rules like firewall policies.

The way Casbin works is through a configuration file that defines the access control model, and a separate policy file or database that stores the actual rules. Because the model is separate from the code, you can change your authorization scheme by editing a config file rather than rewriting application code. An online editor at casbin.org helps you write and test policies without running code.

Casbin is primarily written in Go, but the same library is available in production-ready ports for Java, Node.js, PHP, Python, .NET, C++, and Rust — all following the same concepts.

You would use Casbin when building any application that needs fine-grained access control, such as a multi-user web service, an API with different permission levels, or a SaaS product with tenant-specific roles. It does not handle authentication (verifying who a user is) — only authorization (deciding what they are allowed to do).