Access control gets messy faster than most people expect.
Most apps handle:
- RBAC (roles & permissions)
- Feature flags
- Experiments
- Plan-based access
…as separate systems.
That usually leads to:
- duplicated logic across frontend and backend
- inconsistent behavior over time
- harder scaling as the product grows
The problem
At small scale, this works fine.
But as your app grows:
- permissions live in one place
- feature flags in another
- experiments somewhere else
👉 Now your logic is fragmented.
You end up asking:
- “Is this user allowed?”
- “Is this feature enabled?”
- “Is this experiment active?”
…in multiple places, with different rules.
A better approach
Instead of managing all of this separately, unify everything into a single access layer.
👉 Define access once
👉 Use it everywhere
Example
const canEdit = access.can("edit_post", user)
if (canEdit) {
return <EditButton />
}
Same logic:
- frontend
- backend
- APIs
What I’ve been building
I’ve been working on a small library called React Access Engine to solve this.
It combines:
- RBAC
- ABAC
- Feature flags
- A/B experiments
- Plan-based access
- Remote config
👉 Into one consistent system.
Why this matters
- No duplicated logic
- Consistent behavior across layers
- Easier to scale
- Cleaner mental model
Curious how others are solving this
Would love to hear how you're handling access control in production apps — especially at scale.
Top comments (0)