I've used NPM's 'acl' package before, and it's feature-ful while keeping a very simple API. It also provides a simple Middleware for Express, if that's what you're using, but it's easy enough to slip it into most other frameworks. I set the role on the user model, and then do acl.addUserRoles(user.id, user.role). If you have more complicated requirements for multiple roles, it would be easy enough to loop over a roles array. If using Express, you will need a session for every user, and it must contain a userId parameter.