Engineering Core
ISB Vietnam's skilled software engineers deliver high-quality applications, leveraging their extensive experience in developing financial tools, business management systems, medical technology, and mobile/web platforms.

In modern applications, especially admin dashboards and SaaS systems, detailed role-based access control is essential. If you've ever scattered if (user.role === 'admin') { ... } all over your code, you'll love CASL.

What is CASL?

CASL (Code Access Security Layer) is a JavaScript library for managing authorization in a declarative, maintainable way.

With CASL, you can:

  • Define what users can do on specific resources

  • Use it on both frontend (React/Vue) and backend (Node.js, NestJS)

  • Avoid role-checking spaghetti code

Install CASL in Node.js

yarn add @casl/ability

Define Abilities

Example: a regular user can read products, while an admin can manage everything.

import { AbilityBuilder, Ability } from '@casl/ability';

function defineAbilitiesFor(user) {
    const { can, cannot, build } = new AbilityBuilder(Ability);

    if (user.role === 'admin') {
        can('manage', 'all'); // full access
    } else {
        can('read', 'Product');
        cannot('delete', 'Product');
    }

    return build();
}

Check Permissions with CASL

Create an "ability" object based on the current user's roles/permissions

const ability = defineAbilitiesFor(currentUser);

// Check if the user has permission to "delete" a "Product"

if (ability.can('delete', 'Product')) {
    // allow action
} else {
    // deny access
}

In an Express middleware, this logic is often used to protect routes:

// Middleware to check permissions based on action and subject

function authorize(action, subject) {
    return (req, res, next) => {

        // Create ability based on the logged-in user
        const ability = defineAbilitiesFor(req.user); 
        if (ability.can(action, subject)) {

            // If allowed, proceed to the next middleware or route handler 
            return next();
        }
        res.status(403).send('Forbidden');
    };
}

Why CASL?

  • Clear semantic permission rules (can/cannot)
  • Works on both frontend and backend
  • Easily supports complex conditions (field-level access, ownership, etc.)
  • Keeps business logic clean and centralized

Conclusion

If you're building a system with multiple roles or complex permission rules, give CASL a try.
It helps you write clean, understandable, and reusable access control logic.

If you're seeking a reliable, long-term partner who values collaboration and shared growth, feel free to reach out to us here: Contact ISB Vietnam

[References]

https://casl.js.org/v6/en/


Written by
Author Avatar
Engineering Core
ISB Vietnam's skilled software engineers deliver high-quality applications, leveraging their extensive experience in developing financial tools, business management systems, medical technology, and mobile/web platforms.

COMPANY PROFILE

Please check out our Company Profile.

Download

COMPANY PORTFOLIO

Explore my work!

Download

ASK ISB Vietnam ABOUT DEVELOPMENT

Let's talk about your project!

Contact US