ACL ：Access Control List，访问控制列表，是比较流行的设计方式。通过吧用户和权限挂钩来实现。
RBAC ：Role Based Access Control，角色访问控制系统，是另一个实现思路。提炼出角色对象，把用户和角色绑定，角色来对应权限，角色和权限没有直接关联，对复杂的系统来说，更加容易管理。
Hierarchical Role Based Access Control for NodeJS
Simple and elegant, create your own checks. No middleware?
Use as middleware, create your own roles and access. Great choice.
Similar to connect roles… but a bit more robust? you can create roles and action, and associate many roles with that action
Like canCan for rails. This is a traditional controller / function type permission system. May be too abstract.
More traditional setRole() hasRole() based checking. Last activity 2 years ago.
Natural language style roles. Looks very promising and is in active development
Simple and closer to action / natural language based. Requires writing your own checks for each.
Maybe too simple? Makes sense for assigning roles but then its hard to check against roles!
Not ideal but here for reference sake.
https://github.com/codedoctor/mongoose-plugins-accessible-by Set access per field of mongoose Schema. Not supported or maintained, and noted as not a perfect fit in all cases… but worth considering as a simple way to control access to fields.