abac-ts

Attribute-based access control (ABAC) for TypeScript. Zero dependencies.

View on GitHub View on npm

What is ABAC?

ABAC is an authorization model that evaluates access requests against policies based on attributes of the subject (who), resource (what), action (how), and environment (context).

Unlike role-based access control (RBAC), ABAC enables fine-grained, dynamic policies without combinatorial explosion of roles.

Installation

npm install abac-ts

Or with other package managers:

pnpm add abac-ts
yarn add abac-ts

Getting Started

1. Define a Policy

A policy describes who can do what under which conditions:

import { createPolicy } from "abac-ts";

const editArticlePolicy = createPolicy({
  target: {
    subject: { role: "editor" },
    resource: { type: "article" },
    action: "edit",
  },
  condition: (subject, resource, environment) => {
    return (
      resource.department === subject.department &&
      environment.hour >= 9 &&
      environment.hour <= 17
    );
  },
});

2. Create the Policy Engine

Combine one or more policies into an engine:

import { createEngine } from "abac-ts";

const engine = createEngine([editArticlePolicy]);

3. Evaluate an Access Request

Pass the subject, resource, action, and environment to get a decision:

const decision = engine.evaluate({
  subject: { id: "user-1", role: "editor", department: "engineering" },
  resource: { id: "article-42", type: "article", department: "engineering" },
  action: "edit",
  environment: { hour: 14 },
});

if (decision === "permit") {
  // Access granted
}

Concepts

Term Description
Subject The entity requesting access (user, service, device)
Resource The entity being accessed (document, API endpoint, file)
Action The operation being performed (read, write, delete)
Environment Contextual attributes (time, IP address, location)
Policy A rule that maps attribute conditions to a decision
Decision The result: permit, deny, or not_applicable

Why abac-ts?

License

MIT