Skip to content
All features
identity and trustpackages/iam/permissions

permissions package

RBAC + ABAC engine — CASL for in-process checks, OpenFGA for Zanzibar-style relationships. defineAbility() server, <Can /> in React.

Open docs
Stability
Stable
Scope
Tenant-scoped
Boundary
packages/iam/permissions
RBAC · ABAC
Resourcereadwritedeletemanage
Project
Billing
Audit log
API key
Team member

Powered by CASL · evaluated server-side

Usagepermissions.ts
typescript
permissions.ts
1import { defineAbility } from "@nebutra/permissions";
2
3const ability = defineAbility((can, cannot, user) => {
4  if (user.role === "admin") can("manage", "all");
5  can("read", "Post", { tenantId: user.tenantId });
6  can("update", "Post", { authorId: user.id });
7  cannot("delete", "Post", { isPublished: true });
8});
9
10ability.can("update", post);
More in domain · identity and trust
auditPackage
packages/iam/audit

Hash-chained, SHA-256 append-only audit log for actor/tenant actions. SOC 2-grade tamper detection, streaming export, and replay-safe queries.

Explore
authPackage
packages/iam/auth

Multi-provider auth — Clerk, Better Auth, or NextAuth. Same React surface, swap providers via preset config. MFA-enforced, session HMAC-signed.

Explore
captchaPackage
packages/iam/captcha

Bot challenge with Cloudflare Turnstile / hCaptcha / reCAPTCHA behind one verify() call. Server-side scoring, per-route enable, no third-party tracker on the client.

Explore
identityPackage
packages/iam/identity

Shared actor primitive — usr_/svc_/api_ ID space, role/membership lookup, tenant attachment. The single identity object every iam package reads.

Explore