explaingit

apache/casbin

Analysis updated 2026-06-21

20,107GoAudience · developerComplexity · 3/5Setup · moderate

TLDR

An open-source authorization library that answers whether a user can perform an action on a resource, supports role-based, attribute-based, and list-based permission models via a config file.

Mindmap

mindmap
  root((Casbin))
    Permission models
      ACL simple lists
      RBAC role-based
      ABAC attribute-based
    How it works
      Model config file
      Policy file or DB
      Online policy editor
    Languages
      Go primary
      Java Node Python
      PHP .NET Rust
    Audience
      Web developers
      API builders
      SaaS teams
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Add role-based access control to a web app so admin users can edit while regular users can only view.

USE CASE 2

Enforce per-tenant permission rules in a multi-tenant SaaS product using domain-specific RBAC.

USE CASE 3

Replace hard-coded permission checks in an API with a policy file that can be updated without changing code.

USE CASE 4

Implement firewall-style deny-override rules for fine-grained resource access in a microservices system.

What is it built with?

GoJavaNode.jsPHPPython.NETRustC++

How does it compare?

apache/casbinchai2010/advanced-go-programming-bookknadh/listmonk
Stars20,10720,06520,049
LanguageGoGoGo
Setup difficultymoderateeasymoderate
Complexity3/51/53/5
Audiencedeveloperdeveloperpm founder

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires writing a model config and policy file, no external infrastructure needed beyond the library itself.

License information was not specified in the description.

In plain English

Casbin is an open-source authorization library that handles the question "is this user allowed to do this action on this resource?" It supports several well-established access control patterns and lets you choose and configure the one that fits your application, without writing the permission logic from scratch. The three main patterns it supports are ACL (Access Control List, a simple list of who can do what), RBAC (Role-Based Access Control, users are assigned roles like "admin" or "editor," and roles define permissions), and ABAC (Attribute-Based Access Control, permissions depend on properties of the user, resource, or environment). These can also be combined: for example, RBAC roles with domain-specific permissions for multi-tenant applications, or deny-override rules like firewall policies. The way Casbin works is through a configuration file that defines the access control model, and a separate policy file or database that stores the actual rules. Because the model is separate from the code, you can change your authorization scheme by editing a config file rather than rewriting application code. An online editor at casbin.org helps you write and test policies without running code. Casbin is primarily written in Go, but the same library is available in production-ready ports for Java, Node.js, PHP, Python.NET, C++, and Rust, all following the same concepts. You would use Casbin when building any application that needs fine-grained access control, such as a multi-user web service, an API with different permission levels, or a SaaS product with tenant-specific roles. It does not handle authentication (verifying who a user is), only authorization (deciding what they are allowed to do).

Copy-paste prompts

Prompt 1
Set up Casbin in a Go web server to enforce RBAC where admins can create, read, update, and delete, editors can read and update, viewers can only read.
Prompt 2
How do I configure Casbin for multi-tenant permissions where each organization has its own admin and viewer roles?
Prompt 3
Write a Casbin policy file and model config that implements deny-override rules for a REST API with routes like /api/orders and /api/users.
Prompt 4
Add Casbin authorization to my Node.js Express app using a PostgreSQL policy adapter, show me the full setup.
Prompt 5
What is the difference between ACL, RBAC, and ABAC in Casbin and which should I use for a simple SaaS app with three user tiers?

Frequently asked questions

What is casbin?

An open-source authorization library that answers whether a user can perform an action on a resource, supports role-based, attribute-based, and list-based permission models via a config file.

What language is casbin written in?

Mainly Go. The stack also includes Go, Java, Node.js.

What license does casbin use?

License information was not specified in the description.

How hard is casbin to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is casbin for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub apache on gitmyhub

Verify against the repo before relying on details.