# ACL Permissions

## **Overview** 

Access Control List (ACL) permissions provide organizations with a more granular way to manage access to objects in Finout. This flexibility ensures that sensitive objects are accessible only to the intended users.

<figure><img src="/files/JmEMsSVzN5IIYsZDo1Bf" alt=""><figcaption></figcaption></figure>

## **How ACL Permissions Work**

ACL **read** and **write** permissions operate at the **account level** and at the **object level**:

#### **Account Level**&#x20;

* For **new accounts**, the default ACL is set to **private** for both **read and write**. This means that newly created ACL-supported objects are private by default, unless explicitly changed by an administrator or the creator.
* Admins can change the default ACL permissions for the account. This determines the **default permissions** applied to all [newly created objects that support ACL ](#finout-features-with-acl-permissions)across Finout.

#### **Object Level**

* All newly created objects inherit their ACL permissions from the **account-level default settings**.
* Users with [access to an object](/settings/role-based-access-control-rbac.md) can **override the account-level defaults** by setting specific ACL permissions for that object. <br>

  > **For Example**: If your account-level ACL is **private**, you can override it when creating a dashboard by setting the ACL on the dashboard to **public**, allowing **all account users** to view it.

#### Permission Types

You can set **read** and **write** permissions as either **Public**, **Private**, or **Shared.**

{% hint style="info" %}
**Note**: Write permissions must be as restrictive or more restrictive than read permissions.
{% endhint %}

| ACL Types   | Description                                                                                                                                                                                                                                                       |
| ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Public**  | Grants access to anyone in the organization that has Role-Based Access Control (RBAC).                                                                                                                                                                            |
| **Private** | <p>Grants access only to admins and the user who created the object.</p><div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note</strong>: Admins and creators always retain access.</p></div>                          |
| **Shared**  | <p>Grants access only to specific users or groups that have Role-Based Access Control (RBAC).</p><div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note</strong>: Admins and creators always retain access.</p></div> |

## **Using ACL Permissions**

**Use Case - Change Default Account Permissions:** You want to keep the default read permissions as public and change the default write permissions for the group "App Team" and for three users not in the "App Team".<br>

1. In Finout, navigate to **Settings**.\
   The **Account Settings** tab appears.<br>

   <figure><img src="/files/wG9xPwE48WAUgjhdZXRz" alt=""><figcaption></figcaption></figure>
2. Under **Permissions settings,** configure the new default ACL permissions:
   1. Keep the **Read** permissions **Public**.
   2. Change the **Write** permission to **Shared.**

      <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note</strong>: Write permissions must be as restrictive or more restrictive than read permissions.</p></div>
   3. Add the **Users and Groups** that you want to have write permissions.<br>

      <figure><img src="/files/rl2ZQKtPjLsW1sfWIwQT" alt=""><figcaption></figcaption></figure>
3. Click **Save**.\
   The permissions are updated and will apply to all newly created objects that support ACL.<br>

   > **For Example**: Any finanicial plan created in the account will get these read and write permissions by default.&#x20;

## **Finout Features with ACL Permissions**

* [Financial Plans](/user-guide/inform/financial-plans.md#h_55e4e09a6a)
* [Tag Governance](/user-guide/operate/tag-governance.md)
* [MegaBill](/user-guide/inform/megabill.md#h_4882efef52)&#x20;
* [Dashboards](/user-guide/inform/finops-dashboards/custom-dashboards.md#dashboard-settings)
* [Virtual Tags](/user-guide/inform/virtual-tags/custom-virtual-tags.md#h_b41fb8c87c-1)
* [Event Annotation](/user-guide/inform/megabill.md#event-annotation)

## FAQs

* **What are the default ACL permission settings?**\
  The default settings on the account level are public. Objects inherit their ACL permissions from the account-level default settings.
* **Can I apply write permission without applying read permissions?**\
  No, write permissions must be as restrictive or more restrictive than read permissions.
* **Do account-level default permissions apply to all objects in the platform?**\
  No. Default permissions apply **only to newly created objects** that support ACL. Existing objects remain unchanged when you update the default permissions.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.finout.io/cross-platform-features/list-of-cross-platform-features/acl-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.