RBAC (Rule Based Access Control) for hapijs
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.



npm version Build Status Coverage Status Dependency Status

A Rule Based Access Control module for hapi.

This is inspired by the XACML policies.


  • 2.3.0 - Ability to use RegExp to match target values. Ability to match field to field. (updated rbac-core to 3.0.0)
  • 2.2.0 - Customized error responses
  • 2.1.0 - Usage of user defined data retrievals for target matching. Nested properties on target keys.
  • 2.0.0 - Simplified target (updated rbac-core to 2.0.0)
  • 1.3.0 - Use more data for target matching
  • 1.2.0 - Global default configuration is now possible
  • 1.1.0 - Added ability to dynamically retrieve policies for the route
  • 1.0.0 - Since this version, only node ^4.0 and hapi ^12.0.0 is supported. All the functionality and syntax remains the same.

How to use it

First, install

npm install --save hapi-rbac

Then, import the module in your hapi server instance.

  register: require('hapi-rbac')
}, function(err) {

Then, configure your policies. Check the API Reference.

Learn more about Rule Based Access Control

To have a better idea of how this works, you can check my Bachelor's project presentation about XACML here (english), or here (portuguese).

Even though this plugin doesn't implement the XACML specification, it was based on its policies.