https://github.com/djvirgen/virgen-acl Simple and elegant, create your own checks. No middleware?
https://github.com/OptimalBits/node_acl Use as middleware, create your own roles and access. Great choice.
https://github.com/tschaub/authorized Similar to connect roles... but a bit more robust? you can create roles and action, and associate many roles with that action
https://github.com/scottkf/ability-js Like canCan for rails. This is a traditional controller / function type permission system. May be too abstract.
https://github.com/dresende/node-roles More traditional setRole() hasRole() based checking. Last activity 2 years ago.
https://github.com/carlos8f/node-relations Natural language style roles. Looks very promising and is in active development
https://github.com/ForbesLindesay/connect-roles Simple and closer to action / natural language based. Requires writing your own checks for each.
https://github.com/ajlopez/SimplePermissions Maybe too simple? Makes sense for assigning roles but then its hard to check against roles!
https://npmjs.org/package/entitlement Not ideal but here for reference sake.
https://github.com/codedoctor/mongoose-plugins-accessible-by Set access per field of mongoose Schema. Not supported or maintained, and noted as not a perfect fit in all cases... but worth considering as a simple way to control access to fields.
Shameless plug! : https://github.com/AGhost-7/o-is/tree/master/packages/access-mate
Above is an attribute-based access control library. It is designed to be as flexible as possible by using conditions instead of roles. One can implement RBAC or whatever they want using conditions. Module also supports field-level access control that isn't supported by most of the modules listed here.