# ACL Permissions

## **Overview** 

Access Control List (ACL) permissions provide organizations with a more granular way to manage access to objects in Finout. This flexibility ensures that sensitive objects are accessible only to the intended users.

<figure><img src="https://3858159242-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWqjB2puKXPDR7L86FX2e%2Fuploads%2F6jUrvrdA1jmfDxI8q086%2Fimage.png?alt=media&#x26;token=d4f149d9-e2a1-4ba9-adb5-5756243475e3" alt=""><figcaption></figcaption></figure>

## **How ACL Permissions Work**

ACL **read** and **write** permissions operate at the **account level** and at the **object level**:

#### **Account Level**&#x20;

* For **new accounts**, the default ACL is set to **private** for both **read and write**. This means that newly created ACL-supported objects are private by default, unless explicitly changed by an administrator or the creator.
* Admins can change the default ACL permissions for the account. This determines the **default permissions** applied to all [newly created objects that support ACL ](#finout-features-with-acl-permissions)across Finout.

#### **Object Level**

* All newly created objects inherit their ACL permissions from the **account-level default settings**.
* Users with [access to an object](https://docs.finout.io/settings/role-based-access-control-rbac) can **override the account-level defaults** by setting specific ACL permissions for that object. <br>

  > **For Example**: If your account-level ACL is **private**, you can override it when creating a dashboard by setting the ACL on the dashboard to **public**, allowing **all account users** to view it.

#### Permission Types

You can set **read** and **write** permissions as either **Public**, **Private**, or **Shared.**

{% hint style="info" %}
**Note**: Write permissions must be as restrictive or more restrictive than read permissions.
{% endhint %}

| ACL Types   | Description                                                                                                                                                                                                                                                       |
| ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Public**  | Grants access to anyone in the organization that has Role-Based Access Control (RBAC).                                                                                                                                                                            |
| **Private** | <p>Grants access only to admins and the user who created the object.</p><div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note</strong>: Admins and creators always retain access.</p></div>                          |
| **Shared**  | <p>Grants access only to specific users or groups that have Role-Based Access Control (RBAC).</p><div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note</strong>: Admins and creators always retain access.</p></div> |

## **Using ACL Permissions**

**Use Case - Change Default Account Permissions:** You want to keep the default read permissions as public and change the default write permissions for the group "App Team" and for three users not in the "App Team".<br>

1. In Finout, navigate to **Settings**.\
   The **Account Settings** tab appears.<br>

   <figure><img src="https://3858159242-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWqjB2puKXPDR7L86FX2e%2Fuploads%2FutvBiF7OxpHLnUDzvz1K%2Fimage.png?alt=media&#x26;token=9290283e-f425-409c-8e13-548d60d3804b" alt=""><figcaption></figcaption></figure>
2. Under **Permissions settings,** configure the new default ACL permissions:
   1. Keep the **Read** permissions **Public**.
   2. Change the **Write** permission to **Shared.**

      <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note</strong>: Write permissions must be as restrictive or more restrictive than read permissions.</p></div>
   3. Add the **Users and Groups** that you want to have write permissions.<br>

      <figure><img src="https://3858159242-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWqjB2puKXPDR7L86FX2e%2Fuploads%2Foj6UFwpUACehWTfucgY2%2Fimage.png?alt=media&#x26;token=468370ef-fb71-4685-ac06-6efaa8e75703" alt=""><figcaption></figcaption></figure>
3. Click **Save**.\
   The permissions are updated and will apply to all newly created objects that support ACL.<br>

   > **For Example**: Any finanicial plan created in the account will get these read and write permissions by default.&#x20;

## **Finout Features with ACL Permissions**

* [Financial Plans](https://docs.finout.io/user-guide/inform/financial-plans#h_55e4e09a6a)
* [Tag Governance](https://docs.finout.io/user-guide/operate/tag-governance)
* [MegaBill](https://docs.finout.io/user-guide/inform/megabill#h_4882efef52)&#x20;
* [Dashboards](https://docs.finout.io/user-guide/inform/finops-dashboards/custom-dashboards#dashboard-settings)
* [Virtual Tags](https://docs.finout.io/user-guide/inform/virtual-tags/custom-virtual-tags#h_b41fb8c87c-1)
* [Event Annotation](https://docs.finout.io/user-guide/inform/megabill#event-annotation)

## FAQs

* **What are the default ACL permission settings?**\
  The default settings on the account level are public. Objects inherit their ACL permissions from the account-level default settings.
* **Can I apply write permission without applying read permissions?**\
  No, write permissions must be as restrictive or more restrictive than read permissions.
* **Do account-level default permissions apply to all objects in the platform?**\
  No. Default permissions apply **only to newly created objects** that support ACL. Existing objects remain unchanged when you update the default permissions.