AppCrib
Blog/Developer Tools
Developer Tools

How to Generate an RBAC Permission Matrix Without Touching a Spreadsheet

Launch·Published by AppCrib··
RolematBuild an RBAC matrix. Export it anywhere.

How do I generate an RBAC permission matrix?

Type your roles into one box. Type your permissions into another. Tick the checkboxes where access should exist, then export as Markdown, CSV, or JSON. That is the whole job. Rolemat is a free, client-side tool that does exactly this at appcrib.com/rolemat. No account. No config file. No YAML to learn. Paste roles, paste permissions, toggle the grid, hit Copy Markdown, paste into your README. Under a minute from blank page to committed documentation.

The rest of this post covers details: what belongs in the matrix, how to get clean Markdown that renders on GitHub, how to export the same data as CSV for a compliance reviewer, and why the tool stays out of the way.

What is a permission matrix and what goes inside it?

A permission matrix is a two-dimensional table. Roles run across the top as columns. Permissions (or resources, or actions) run down the side as rows. Every cell is a yes or a no: does this role have this permission, or not. That is all there is to the data model. No hierarchy. No inheritance. No policy DSL. Just a grid of booleans you can stare at and reason about.

What each axis typically holds:

  • Roles: admin, editor, author, subscriber, service-worker, billing, support. Whatever your app calls them. One role per column.
  • Permissions: read:posts, write:posts, delete:posts, publish:posts, manage:billing, invite:users. Some teams prefer resources (posts, comments, users) and use CRUD shorthand. Rolemat uses the flat string you type; it does not impose a naming convention.

The matrix does not exist to generate authorization code. It exists to answer "who can do what" in a format a human can read in six seconds. It lives in a README, a wiki page, or a compliance packet. It gets re-reviewed during audits and updated when you ship a new role.

How do I create a role permission matrix in Markdown?

Writing a valid GitHub-flavored Markdown table by hand is tedious. The pipes have to line up. The header separator has to be right. The checkmarks have to be consistent. Most developers give up and use a screenshot of a spreadsheet, or write a throwaway script they never save.

Rolemat does the Markdown for you. Enter roles, enter permissions, toggle the matrix, click Export Markdown. You get a GFM table with permission names in the first column and role names across the top. Checked cells render as checkmarks. Empty cells render as dashes. Click Copy to Clipboard and paste it straight into README.md. It renders on GitHub with no further editing.

Markdown output is the feature every other tool in this space was missing. Kloudbean's matrix generator exports JSON, CSV, YAML, and XML, but no Markdown. TableConvert does Markdown but does not understand RBAC, so you start from a blank spreadsheet. Cerbos generates policy files, not documentation tables. Rolemat sits in the empty seat: RBAC-shaped UI plus GFM output.

How do I export a permission matrix as CSV?

Click Export CSV. A file downloads with permissions as the first column, roles as the subsequent columns, and TRUE or FALSE in each cell. That CSV opens cleanly in Excel, Google Sheets, Numbers, or any spreadsheet tool. It imports into most compliance platforms that take tabular input. It also diffs cleanly in git because every row is a permission and every column is a role. Add a role, every permission row gets one more column.

CSV is the right export when the person receiving the matrix does not read Markdown. Auditors and security reviewers usually want a spreadsheet. Developers want Markdown. Backend scripts want JSON. Rolemat covers all three off one toggle grid.

How do I document role-based access control for a README?

The workflow most teams end up on:

  1. Open Rolemat in a browser tab.
  2. Type your roles (one per line or comma-separated). Example: admin, editor, author, viewer.
  3. Type your permissions the same way. Example: read:posts, write:posts, delete:posts, publish:posts, manage:users, view:billing.
  4. Click Generate Matrix. The grid appears instantly.
  5. Tick the cells that represent real access. Be honest about what each role can actually do, including the things that feel obvious.
  6. Click Export Markdown, then Copy to Clipboard.
  7. Paste the table under an ## Access Control heading in your README.md or wiki page.
  8. Commit.

Total time: under a minute for a 4x6 matrix, a couple of minutes for a 10x20. The tool handles up to 50 roles and 100 permissions without lag, so even a complicated app fits.

A few notes on what to include. Document the roles that exist in production, not the ones you plan to add next quarter. Keep permission names consistent with what appears in your auth middleware. If the code says write:posts, the matrix says write:posts. If you have service accounts or machine roles, list them as real roles; they are as real as any human role from the authorization layer's point of view.

Can I use JSON output for seeding scripts or config files?

Yes. Click Export JSON. You get a structured object:

{
  "roles": ["admin", "editor", "viewer"],
  "permissions": ["read:posts", "write:posts", "delete:posts"],
  "matrix": {
    "admin":  { "read:posts": true, "write:posts": true, "delete:posts": true },
    "editor": { "read:posts": true, "write:posts": true, "delete:posts": false },
    "viewer": { "read:posts": true, "write:posts": false, "delete:posts": false }
  }
}

That shape drops straight into a database seed or a test fixture. If you want to codify the matrix as the source of truth and generate your authorization checks from it, the JSON is a reasonable starting point. If you already use a policy engine like Cerbos or Oso, the JSON still works as a design document that humans review before someone translates it into policy.

What does Rolemat not do?

Worth being clear about the edges. Rolemat is not a policy engine. It does not generate Cerbos YAML, OPA Rego, or Casbin config. It does not enforce access control at runtime. It does not do role inheritance or hierarchy; every matrix is flat, which is intentional. There is no login, no saved state between sessions, no shareable permalink. The tool runs entirely in the browser and forgets everything the moment you close the tab.

That narrowness is the whole point. The job is documenting a matrix, not architecting an authorization layer. Rolemat picks that job and does it.

Where to get it

Open appcrib.com/rolemat in any browser. It is free, ad-supported, and client-side. No data leaves your machine. Paste your roles, paste your permissions, export, commit. Then get back to the actual feature you were supposed to be building.

Rolemat
Build an RBAC matrix. Export it anywhere.
Try Rolemat

Related posts

ToklenDeveloper Tools

Why GPT, Claude, and Gemini Disagree on the Same Token Count

EpochrDeveloper Tools

How to Convert a Unix Timestamp to a Date (and Why 13-Digit Timestamps Trip Everyone Up)

ToklenDeveloper Tools

A Token Counter for GPT, Claude, and Gemini in One Clean Tool

More posts