access-control-rbac

Role-based access control (RBAC) with permissions and policies. Use for admin dashboards, enterprise access, multi-tenant apps, fine-grained authorization, or encountering permission hierarchies, role inheritance, policy conflicts.

Quality

71%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Fix and improve this skill with Tessl

tessl review fix ./plugins/access-control-rbac/skills/access-control-rbac/SKILL.md

Quality

Content

52%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill provides solid, executable code examples for RBAC and ABAC patterns across multiple languages, making it highly actionable. However, it lacks workflow guidance for actually implementing and validating access control in a project, which is critical for a security-sensitive domain. The best practices section is generic and the content could be more concise by moving full implementations to reference files and keeping the main skill as an overview.

Suggestions

Add a step-by-step workflow for implementing RBAC in a project, including validation steps like writing test cases to verify permission enforcement and testing role inheritance.

Move the full Node.js and Python implementations into reference files (e.g., references/nodejs-rbac.md, references/python-abac.md) and keep only concise patterns/snippets in the main SKILL.md.

Remove generic best practices that Claude already knows (least privilege, audit logging) or condense them to a single line referencing the OWASP cheat sheet.

Add a concrete example of handling policy conflicts (e.g., when both allow and deny policies match) with explicit resolution strategy.

Dimension	Reasoning	Score
Conciseness	The access control models table is useful but somewhat explanatory for Claude. The code examples are reasonably lean but the overall content is quite long (~130 lines of code across two languages) and the best practices section contains generic security advice Claude already knows (e.g., 'apply least privilege principle', 'separate authentication from authorization').	2 / 3
Actionability	Both the Node.js RBAC and Python ABAC implementations are fully executable, complete with class definitions, middleware integration, and setup examples. The code is copy-paste ready and includes concrete patterns like Express middleware and condition functions.	3 / 3
Workflow Clarity	There is no workflow or sequencing for implementing access control. The skill presents code patterns but doesn't guide through the process of setting up RBAC in a project—no steps for integration, no validation checkpoints for testing permissions, no guidance on verifying that access control is correctly enforced. For a security-critical domain, missing validation/verification is a significant gap.	1 / 3
Progressive Disclosure	References to python-abac.md and java-spring-security.md are well-signaled and one level deep, which is good. However, no bundle files were provided, so these references are broken. The main file also includes substantial inline code that could arguably be split into reference files, keeping the SKILL.md as a leaner overview.	2 / 3
	Total	8 / 12 Passed

Description

89%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a solid description with excellent trigger term coverage and clear 'when to use' guidance. Its main weakness is that it describes the domain and concepts rather than listing specific concrete actions the skill performs (e.g., 'implement role hierarchies', 'define permission policies', 'resolve access conflicts'). Adding action verbs would strengthen the specificity dimension.

Suggestions

Add concrete action verbs describing what the skill does, e.g., 'Implements role hierarchies, defines permission policies, resolves access conflicts, manages user-role assignments.'

Dimension	Reasoning	Score
Specificity	The description names the domain (RBAC) and mentions some concepts like 'permissions', 'policies', 'role inheritance', and 'policy conflicts', but doesn't list concrete actions (e.g., 'create roles', 'assign permissions', 'resolve policy conflicts'). It describes the domain more than specific actions the skill performs.	2 / 3
Completeness	Clearly answers both 'what' (role-based access control with permissions and policies) and 'when' (explicitly lists trigger scenarios: admin dashboards, enterprise access, multi-tenant apps, fine-grained authorization, permission hierarchies, role inheritance, policy conflicts).	3 / 3
Trigger Term Quality	Includes strong natural trigger terms users would say: 'RBAC', 'permissions', 'admin dashboards', 'enterprise access', 'multi-tenant apps', 'authorization', 'permission hierarchies', 'role inheritance', 'policy conflicts'. These cover a good range of how users would describe access control needs.	3 / 3
Distinctiveness Conflict Risk	RBAC is a well-defined niche with distinct terminology. The trigger terms like 'role inheritance', 'policy conflicts', 'permission hierarchies', and 'fine-grained authorization' are highly specific to this domain and unlikely to conflict with other skills.	3 / 3
	Total	11 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: secondsky/claude-skills
Commit: 5e92b71

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.