the dynamic user role for the loopback application.

Usage no npm install needed!

<script type="module">
  import loopbackComponentRoleUser from 'https://cdn.skypack.dev/loopback-component-role-user';


Loopback Component user dynamic role

This loopback component add a new dynamic user role which mapping the operators of model to the role. The role name should be '[modelName]' + '.' + '[operator]'. The role should be mapped into the ACL too. And the role can be nested like this:




The Role3 should has the User.add role too.

The role could have multi containers of permission(aother role) or permissions.

The Permission is the model with operation. You can use the * to match the any model or any operation. eg, '*.add', 'User.*'.

Add the .owned dynamical roles to edit, view, find, and delete roles as postfix. For only edit/delete/view/find owned items.


  • The same role could be exists in multi-roles.
  • Disable batch update roles.
  • The nested max level of role to limit. see config: maxLevel


  1. Install in you loopback project:

npm install --save loopback-component-role-user

  1. Create a component-config.json file in your server folder (if you don't already have one)

  2. Configure options inside component-config.json:

  "loopback-component-role-user": {
    "enabled": true,
    "cached": 0,
    "role": "$user",
    "userModel": "User",
    "roleIdFieldName": "name",
    "rolesFieldName": "roles",
    "permsFieldName": "_perms",
    "roleRefsFieldName": "_roleRefs",
    "models": [],
  • enabled [Boolean]: whether enable this component. defaults: true
  • cached: [Integer]: whether cache the perms. defaults: 1
    • 0 'none': no cache. you can write the custom _getPerms class method on the Role model to your cache.
    • 1 'updated': the cached perms updated when the role updated(default)
    • 2 'manual': if the _perms is not empty use the cached _perms else calc perms and update the _perms.
      • NOTE: you should update the _perms field by yourself. just empty it for updated.
  • deleteUsedRole [Boolean]: whether allow to cascade delete used roles. defaults: false
    • only for updated cached: 1.
  • maxLevel [Integer]: the max nested role level to limit. defaults: 10
  • role [String] : the role name. defaults: $user
  • roleModel [string]: The role model to inject. defaults: Role
    • The rolesFieldName and permsFieldName fields will be added to the Model.
    • The hasPerm method will be added to the Model.
    • The addRoles and removeRoles methods will be added if the rolesFieldName is 'roles'.
      • The Role.addRoles and Role.removeRoles permissions are added too.
  • userModel [string]: The user model to inject. defaults: User
    • The rolesFieldName and permsFieldName fields will be added to the User Model.
    • The hasPerm method will be added to the User Model.
    • The addRoles and removeRoles methods will be added if the rolesFieldName is 'roles'.
      • The User.addRoles and User.removeRoles permissions are added too.
  • rolesFieldName [string]: The roles field to define. defaults: roles
    • The model(role) can have zero or more roles/permissions.
  • permsFieldName [string]: The cached perms of this role. defaults: _perms
    • Cache all the permissions to the roles(Readonly).
  • ownerFieldName [string]: The owner id field to define. defaults: creatorId
  • roleRefsFieldName [string]: The cached items which reference this role(Readonly). defaults: _roleRefs
  • models [Boolean|Array of string]. defaults: true
    • enable the user role to the models. true means all models in the app.models.
  • operations [Object]: the mapping operations of model to the role name.
    • the key is the operation(method), the value is the role name.

    • Note: the operations name is the role name if no mapping operations.

    • defaults:

        create: 'add',
        upsert: 'edit',
        updateAttributes: 'edit',
        exists: 'view',
        findById: 'view',
        find: 'find',
        findOne: 'find',
        count: 'find',
        destroyById: 'delete',
        deleteById: 'delete'


Just enable it on component-config.json.

set DEBUG=loopback:security:role:user env vaiable to show debug info.




  • add the cached to determine whether cache the perms.


  • add the .owned dynamical roles to edit.owned, view.owned, find.owned, and delete.owned. Only edit/delete/view/find owned items.


  • remove the limits: The same permission CAN NOT be exists in multi-roles.
  • [bug] the hasPerm should use the match function instead minimatch
  • [bug] updatePermsByRefs can not work properly.
  • [bug] mongodb error: key can not contain "." for _perms is object
  • [bug] can not change itself to roleRefs after roles changed
  • add the maxLevel option to limit the max nested role level to avoid recusive
  • avoid exception when component not enabled.
  • add the deleteUsedRole option to allow or forbidden cascade delete


  • remove the deprecated adminRole option. you can define the admin Role with *.* principal.
  • rename the operators option to operations
  • Customize the Role and User Model.
  • remove hasRole Method.
  • add the Roles mxin.
    • Define the roles and perms fields.
      • roles: the
    • Add the hasPerm, addRoles and removeRoles methods.
  • add the hasPerm, addRoles and removeRoles methods to Role and User Model.
  • Performance optimization.
    • cache permissions and references.


  • add the Role::hasRole