1. Introduction

Access control is one of those things every backend engineer has to face, yet it’s rarely straightforward. At first, Role-Based Access Control (RBAC) feels like the perfect solution: you give users roles like admin, trainer, or member, and protect your endpoints accordingly.

But as your application grows, RBAC quickly shows its limits.

In our NestJS gym solution, we ran into exactly this problem. The requirements went beyond “admin can do everything, trainer can manage classes, members can book classes.” Instead, we had to enforce rules like:

• Trainers can only update their own classes.
• Members can only cancel their own bookings.
• Branch managers can only view reports for their branch.

Suddenly, roles weren’t enough. We needed a more flexible way to express “who can do what under which conditions.” That’s where Attribute-Based Access Control (ABAC) came in.

In this guide, I’ll show you how to implement ABAC in a NestJS application step by step, using practical code examples. By the end, you’ll know how to:

• Define attributes for users, resources, and context.
• Write reusable policies as simple functions.
• Integrate those policies into NestJS guards.
• Apply ABAC in your controllers for fine-grained authorization.

2. What is ABAC?

Before we dive into the code, let’s make sure we clearly understand what Attribute-Based Access Control (ABAC) means — and how it differs from the more familiar Role-Based Access Control (RBAC) model.