Channel ACL
ACL stands for Access Control List. Each channel has its own list of rules that grant or deny specific permissions to specific users or groups. Channel ACLs layer on top of roles.
ACLs are powerful, but easy to over-engineer. Most servers do fine with mostly-roles plus a handful of per-channel ACL tweaks.
Screenshot placeholder: channel ACL tab with three rules and the inheritance indicator.
Opening the ACL editor
Section titled “Opening the ACL editor”- Right-click a channel, Edit.
- Switch to the ACL tab.
You see a list of rules, each with:
- Subject: a group (
@everyone,@Member,@auth, custom) or a specific user. - Permission: what is being controlled.
- Allow / Deny.
- Apply to: this channel only, or this channel and all sub-channels.
How rules combine
Section titled “How rules combine”For a given user trying to do something in a channel:
- The server walks up the channel tree from this channel to the root, collecting inherited rules along the way.
- Plus the rules on this channel.
- It applies them in order.
- The last matching Allow or Deny wins.
In practice:
- Put specific rules (a user, or a small group) lower in the list so they override the broader ones.
- Put broad rules (
@everyone) higher.
Built-in groups
Section titled “Built-in groups”| Group | Members |
|---|---|
@everyone | All connected users, including anonymous. |
@auth | Anyone registered on the server. |
@in | Anyone in this channel. |
@sub | Anyone in this channel or any sub-channel. |
@out | Anyone not in this channel. |
@all | Same as @everyone. |
You can also reference any role (see Roles & permissions) and any custom group (see Groups).
Common recipes
Section titled “Common recipes”- Deny
Enterto@everyone. - Allow
Enterto@Moderator. - Allow
SpeakandWriteto@Moderator. - Apply to “this channel only”.
- Allow
Enterto@everyone. - Deny
SpeakandWriteto@everyone. - Allow
Writeto@Moderatorand@Member(only if they should also post). - Apply to “this channel only”.
- Allow
EnterandSpeakto@everyone. - Deny
Writeto@everyone. - Apply to “this channel only”.
- Leave the ACL empty.
- The channel inherits all rules from its parent.
Inheritance
Section titled “Inheritance”Rules with Apply to: this channel and all sub-channels propagate down the tree. A rule with this channel only does not.
The ACL tab shows a small indicator next to each rule:
- Solid border: this rule is set on this channel.
- Dashed border: this rule is inherited from a parent.
Click a dashed rule to either edit it on the parent or override it on this channel.
Audit and debug
Section titled “Audit and debug”Right-click a user, Test permissions. A panel shows every permission that user has on the current channel, with the source rule for each. Use this to debug confusing setups.
Performance
Section titled “Performance”ACL evaluation is fast (milliseconds), even for deep trees. The practical limit is human readability, not server load. If your ACL tab is more than a screen of rules, simplify with roles.
Pitfalls
Section titled “Pitfalls”- A user has more permissions than expected: a higher-up channel
has an
Allow ... to sub-channelsrule. Trace upward. - A user has fewer permissions than expected: a Deny rule somewhere. Use Test permissions to find it.
- Cannot enter the channel I just created: you forgot to add an
Allow rule for yourself. Either fix it with SuperUser or add an
Allow Enterfor@Moderator.
Next step
Section titled “Next step”Continue with Groups for the per-channel-tree groupings that are not full roles.