I've seen accesscontrol recommended for node RBAC, and the documentation says that it is kind of a merge of both rbac and abac.
What I'm seeing instead is that everything is still limited 100% to roles, the only "attribute"-type permissions are based on the attributes of the resource, not the user.
In a perfect world, I'd have user attributes like dateJoined or publishedCount or something like that, which accesscontrol would look at for whether the user has (usually edit) access to such and such resource.
Am I out of luck with accesscontrol? If I am, is there another package that would support what I'm trying to do? If not, I'll have to look into building it from scratch, I guess.
Have you looked into node-abac? Old but possibly ok. Otherwise, there's no reason you need to limit yourself to Node.js. You can take a XACML engine (e.g. AuthZForce) or Open Policy Agent (Rego) and connect your environment to that. You'll get full ABAC either way.