cancannible is a gem that has been kicking around in a few large-scale production deployments for years. It still gets loving attention - most recently an official update for Rails 4 (thanks to the push from @zwippie).
And now also some demo sites - one for Rails 3.2.x and another for Rails 4.3.x so that anyone can see it in action.
So what exactly does cancannible do? In a nutshell, it is a gem that extends CanCan with a range of capabilities:
- permissions inheritance (so that, for example, a User can inherit permissions from Roles and/or Groups)
- general-purpose access refinements (to automatically enforce multi-tenant or other security restrictions)
- automatically stores and loads permissions from a database
- optional caching of abilities (so that they don't need to be recalculated on each web request)
- export CanCan methods to the model layer (so that permissions can be applied in model methods, and easily set in a test case)