access-control-rbac
Role-based access control (RBAC) with permissions and policies. Use for admin dashboards, enterprise access, multi-tenant apps, fine-grained authorization, or encountering permission hierarchies, role inheritance, policy conflicts.
61
71%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/access-control-rbac/skills/access-control-rbac/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description with excellent trigger term coverage and clear 'when to use' guidance. Its main weakness is that it describes the domain and concepts rather than listing specific concrete actions the skill performs (e.g., 'implement role hierarchies', 'define permission policies', 'resolve access conflicts'). Adding action verbs would strengthen the specificity dimension.
Suggestions
Add concrete action verbs describing what the skill does, e.g., 'Implements role hierarchies, defines permission policies, resolves access conflicts, manages user-role assignments.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (RBAC) and mentions some concepts like 'permissions', 'policies', 'role inheritance', and 'policy conflicts', but doesn't list concrete actions (e.g., 'create roles', 'assign permissions', 'resolve policy conflicts'). It describes the domain more than specific actions the skill performs. | 2 / 3 |
Completeness | Clearly answers both 'what' (role-based access control with permissions and policies) and 'when' (explicitly lists trigger scenarios: admin dashboards, enterprise access, multi-tenant apps, fine-grained authorization, permission hierarchies, role inheritance, policy conflicts). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'RBAC', 'permissions', 'admin dashboards', 'enterprise access', 'multi-tenant apps', 'authorization', 'permission hierarchies', 'role inheritance', 'policy conflicts'. These cover a good range of how users would describe access control needs. | 3 / 3 |
Distinctiveness Conflict Risk | RBAC is a well-defined niche with distinct terminology. The trigger terms like 'role inheritance', 'policy conflicts', 'permission hierarchies', and 'fine-grained authorization' are highly specific to this domain and unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
52%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides solid, executable code examples for RBAC and ABAC patterns across multiple languages, making it highly actionable. However, it lacks workflow guidance for actually implementing and validating access control in a project, which is critical for a security-sensitive domain. The best practices section is generic and the content could be more concise by moving full implementations to reference files and keeping the main skill as an overview.
Suggestions
Add a step-by-step workflow for implementing RBAC in a project, including validation steps like writing test cases to verify permission enforcement and testing role inheritance.
Move the full Node.js and Python implementations into reference files (e.g., references/nodejs-rbac.md, references/python-abac.md) and keep only concise patterns/snippets in the main SKILL.md.
Remove generic best practices that Claude already knows (least privilege, audit logging) or condense them to a single line referencing the OWASP cheat sheet.
Add a concrete example of handling policy conflicts (e.g., when both allow and deny policies match) with explicit resolution strategy.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The access control models table is useful but somewhat explanatory for Claude. The code examples are reasonably lean but the overall content is quite long (~130 lines of code across two languages) and the best practices section contains generic security advice Claude already knows (e.g., 'apply least privilege principle', 'separate authentication from authorization'). | 2 / 3 |
Actionability | Both the Node.js RBAC and Python ABAC implementations are fully executable, complete with class definitions, middleware integration, and setup examples. The code is copy-paste ready and includes concrete patterns like Express middleware and condition functions. | 3 / 3 |
Workflow Clarity | There is no workflow or sequencing for implementing access control. The skill presents code patterns but doesn't guide through the process of setting up RBAC in a project—no steps for integration, no validation checkpoints for testing permissions, no guidance on verifying that access control is correctly enforced. For a security-critical domain, missing validation/verification is a significant gap. | 1 / 3 |
Progressive Disclosure | References to python-abac.md and java-spring-security.md are well-signaled and one level deep, which is good. However, no bundle files were provided, so these references are broken. The main file also includes substantial inline code that could arguably be split into reference files, keeping the SKILL.md as a leaner overview. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- secondsky/claude-skills
- Commit
5e92b71
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.