The free RBAC permission matrix generator that exports to Markdown
AWS IAM, Auth0 RBAC, and GitHub's repository roles all assume you already know what your permission matrix should look like; Rolemat is the scratchpad you fill in before you wire up any of them. It does one thing those platforms deliberately do not: render a blank roles-by-permissions grid, let you check boxes, and hand you the result as CSV, Markdown, or JSON. No project, no tenant, no SDK. That positioning is narrower than it sounds.
The RBAC documentation gap that tools keep skipping
Most RBAC tooling lives on one of two ends. The enforcement end is AWS IAM, Casbin, Cerbos, OPA, Auth0 RBAC, Keycloak, Oso. These evaluate can(user, action, resource) at runtime. The management end is admin dashboards inside SaaS products: GitHub repository roles, Notion workspace permissions, Linear's role picker.
What neither end gives you is the design artifact in between: the static matrix that lists every role against every permission, with a checkbox in each cell, before any of it is enforced. This is the document a security reviewer wants during a SOC 2 Type 2 walkthrough, the table a PM pastes into a PRD, and the JSON a backend engineer uses to seed a roles table.
People build it in Google Sheets. That works once. It does not survive renaming a role or adding a permission halfway down the list.
How the five main approaches actually work
Five approaches, each with its own tradeoff.
| Approach | Strength | What you give up |
|---|---|---|
| Spreadsheet (Sheets, Excel) | Universal, editable by non-engineers | No Markdown export, manual sync to code, no schema validation |
| Kloudbean RBAC Matrix Generator | Designed for compliance reviewers, pretty PDF output | Account required, server-side processing, no JSON export |
| TableConvert RBAC mode | Multi-format conversion from CSV input, supports HTML/LaTeX | You still have to author the matrix elsewhere first |
| Cerbos Hub policy editor | Versioned, syntactically validated, ties into runtime enforcement | YAML-first, no checkbox UI, overkill for a one-pager |
| Rolemat | Checkbox grid in the browser, no account, three export formats | Static export only, no enforcement engine, capped at 50 by 100 |
Every row in that table is a defensible choice. If your matrix drives a policy engine, pick Cerbos. If you need a reviewer-friendly PDF and tolerate an account, Kloudbean. If your matrix already lives in CSV and you just want it as HTML, TableConvert.
The design choice Rolemat makes and the trade-off you inherit
Rolemat picks one position on that table and commits to it: a stateless, client-side checkbox editor whose output is a snapshot, not a policy.
That choice has consequences. Closing the tab loses your work unless you exported. There's no schema, so posts:read and posts.read are different strings and Rolemat will not warn you. And the JSON export is a description of intent, not a runtime artifact. The shape is three top-level keys: a string array of roles, a string array of permissions, and a role-keyed matrix object whose values are permission-to-boolean maps. Seed-script friendly:
{
"roles": ["admin", "editor", "viewer"],
"permissions": ["posts:read", "posts:write", "posts:delete"],
"matrix": {
"admin": { "posts:read": true, "posts:write": true, "posts:delete": true },
"editor": { "posts:read": true, "posts:write": true, "posts:delete": false },
"viewer": { "posts:read": true, "posts:write": false, "posts:delete": false }
}
}What you get in return: paste 30 roles and 60 permissions and the grid renders in one frame, because the toggle reducer is a flat 2D boolean array of at most 5,000 cells, each memoized per coordinate. The three export formats cover the realistic downstream uses. Cells stay editable after generation without regenerating. And there's no account barrier, which matters more than people admit: a tool you open in 60 seconds gets used, one that asks for a Google sign-in gets abandoned. The export is deterministic too, so two reviewers diffing the same matrix get identical Markdown byte-for-byte.
In our build, the decision we kept revisiting was whether to add permission inheritance (so admin implicitly grants every permission editor has). We chose not to. Inheritance is exactly the feature that makes a matrix wrong in subtle ways: an inherited cell looks identical to an explicit cell, and reviewers must know the rule to read the grid. A flat matrix is uglier to author and easier to audit.
What Kloudbean, TableConvert, and Cerbos each do better
A few places where the alternatives win outright.
Kloudbean produces a better artifact for a compliance reviewer who wants a single PDF with header, footer, generated-on date, and company logo. Rolemat exports Markdown and JSON, which a reviewer has to paste into their own template. If your audit binder requires a polished PDF, Kloudbean saves you a step.
TableConvert is the right tool when your matrix already exists. We tested round-tripping a 12-role by 24-permission CSV through TableConvert into HTML and the output was clean. Rolemat does not import CSV. If you authored the matrix in a spreadsheet and just need it as HTML for a wiki, use TableConvert.
Cerbos is the only one of these that closes the loop. Its policy editor produces YAML that the Cerbos engine then enforces at request time. The matrix you author is the matrix that runs. Rolemat's JSON export is structurally compatible with hand-rolled authorization middleware, but you still have to write that middleware. If you want the artifact and the enforcement to be the same file, use Cerbos.
When to use something else
Use Rolemat when you are still deciding what your roles should be, you need to drop a matrix into a README, or a PM needs a table for a doc by end of day. Switch to a spreadsheet if non-engineers will edit together. Switch to Cerbos or Casbin once the matrix is settled and you need enforcement. The rows map directly to Casbin policy lines:
p, admin, posts, read
p, admin, posts, write
p, admin, posts, delete
p, editor, posts, read
p, editor, posts, write
p, viewer, posts, readThe honest scope is a 60-second design tool with three machine-readable formats. Anything bigger than that is outside what it tries to be.
Frequently Asked Questions
How do I generate an RBAC permission matrix?
Open Rolemat, type your role names (admin, editor, viewer) into the roles input, add your permissions (posts:read, users:manage) into the permissions input, click Generate Matrix, toggle the checkboxes to grant or revoke access, then export as CSV, Markdown, or JSON.
How do I create a role permission table in Markdown?
In Rolemat, enter your roles and permissions, generate the matrix, toggle the cells you need, then click the Markdown export button. A GFM-formatted table with checkmarks is copied to your clipboard, ready to paste into a README, PRD, or Notion doc.
What is the best free RBAC matrix generator?
Rolemat is a free, browser-based RBAC matrix generator that supports up to 50 roles and 100 permissions. It runs entirely client-side with no account required and exports to CSV, Markdown, and JSON. Unlike spreadsheet-based alternatives, it provides a purpose-built checkbox grid for permission mapping.
How do I export a permission matrix as CSV?
After generating your matrix in Rolemat, click the CSV button in the export bar. A .csv file downloads with permission names as the first column, role names as headers, and TRUE/FALSE values in each cell. Open it in Excel, Google Sheets, or any spreadsheet tool.
How do I export a role permission matrix as JSON?
After generating your matrix, click the JSON button in the export bar. A .json file downloads with three top-level keys: roles (array), permissions (array), and matrix (an object mapping each role name to a sub-object of permission-to-boolean pairs). Drop it directly into your authorization config or seed script.
How do I export a permission matrix to a GitHub README?
Use Rolemat to build your permission matrix visually, then click the Markdown export button. The tool copies a GitHub-Flavored Markdown table with checkmarks to your clipboard. Paste it directly into your README.md file and commit. The table renders correctly on GitHub, GitLab, and any other GFM-compatible viewer.
What is the difference between an RBAC matrix and an ACL?
An RBAC matrix maps permissions to roles, then assigns users to those roles. An ACL (Access Control List) maps permissions directly to individual users or resources. RBAC scales better for teams because you change a role once instead of editing every user. Rolemat is built for the RBAC pattern with roles as columns and permissions as rows.
How do I document access control for a SOC 2 or HIPAA audit?
Build your permission matrix in Rolemat, export it as Markdown, and paste it into your access control policy document or audit evidence folder. Auditors look for a current map of which roles can perform sensitive actions, and a Rolemat-generated table satisfies that for most evidence requests. For long-lived records, also export the JSON so the underlying data is preserved verbatim.
Can I generate a permission matrix without creating an account?
Yes. Rolemat runs entirely in your browser. There is no sign-up, no email capture, and nothing is uploaded to a server. Open the page, type your roles and permissions, generate the matrix, and export it. The session ends when you close the tab.
What is a permission matrix template?
A permission matrix template is a grid that maps roles (rows or columns) against permissions (the other axis), showing which roles have which access rights. Rolemat generates this template interactively. Enter your roles and permissions, toggle the checkboxes, and export the completed matrix in the format you need.
No accounts. No data collection.
Rolemat is free and ad-supported. There are no sign-ups and no email captures. We use PostHog for anonymous page-view analytics and that is it. Full details in the Privacy Policy.