Casbin
Multi-language authorization library with a unified policy model supporting ACL, RBAC, ABAC, and custom access control models. Casbin uses a PERM (Policy, Effect, Request, Matchers) meta-model — define access control in a .conf model file and policies in a .csv or database. Single policy model runs across Go, Node.js, Python, Java, PHP, and Rust via consistent Casbin ports. Used for complex multi-role, multi-resource permission systems.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Authorization decisions are local — no external network calls. Policy files should be protected as they define access control rules. Apache 2.0 licensed.
⚡ Reliability
Best When
You have complex, multi-model authorization needs (hierarchical RBAC, domain-based permissions) across multiple services or languages using the same policy model.
Avoid When
You need simple role checks or a friendlier API — CASL is more JavaScript-idiomatic. Casbin's power comes with configuration complexity.
Use Cases
- • Implement complex multi-role permission systems where users can have multiple roles and roles have hierarchical inheritance
- • Build multi-tenant authorization where tenant isolation, role scoping, and resource-level permissions are all required
- • Enforce consistent access control across multi-language microservices using the same Casbin policy model in each service
- • Store and manage authorization policies in a database (PostgreSQL, MySQL, Redis) with Casbin adapters for dynamic policy updates
- • Implement domain-based RBAC where permissions are scoped to organizational units or tenants
Not For
- • Simple authorization where basic if/else role checks are sufficient — Casbin's model abstraction adds overhead
- • Teams without familiarity with PERM model — the learning curve for model files and policy syntax is significant
- • Centralized external policy decision point — Casbin is an embedded library; use Open Policy Agent for external PDP
Interface
Authentication
No authentication — embedded authorization library. Database adapters use database credentials for policy storage.
Pricing
Apache 2.0 licensed open source project.
Agent Metadata
Known Gotchas
- ⚠ Model .conf file syntax is custom and unforgiving — syntax errors may not surface clearly at startup; validate model files with Casbin's online model editor
- ⚠ Policy hot-reloading with database adapters requires explicit LoadPolicy() calls — policy changes in the database don't automatically reflect in running instances
- ⚠ Role hierarchy inheritance requires explicit addRoleForUser() calls — roles are flat by default; hierarchy must be explicitly defined in policy or g function
- ⚠ Node.js Casbin is a port of the Go version — behavior may differ slightly from Go Casbin in edge cases; file bugs against node-casbin specifically
- ⚠ Batch permission checks are more efficient than multiple enforce() calls — use batchEnforce() for checking multiple subject/action/object combinations
- ⚠ Policy file size impacts startup time — large CSV policy files slow initial LoadPolicy(); use database adapters with indexes for large policy sets
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Casbin.
Scores are editorial opinions as of 2026-03-06.