# Access Control List Access Control List is a list of permissions associated with a system resource. In the case of Appmixer, these resources are *components* and *routes*. * **Components** – this resource allows you to control access to certain components * **Routes** – this resource helps you define ACLs to restrict access to Flows API By default, all users have access to all components and routes. ![ACL overview](/files/-MhmH4QhAfmOk_1uqftz) ### Components Using Appmixer ACL feature you can control access to certain components. All of that can be configured from Backoffice or through the API. To demonstrate how this resource works, let's say we delete "user" in the components resource. ![Deleting "user" in ACL (components)](/files/-MhmI2gSE0z-3e8LgqTi) If an ordinary user opens Appmixer, he or she will see no components in the drag\&drop designer. ![No components in the drag\&drop designer](/files/-MhmINW8m2_G_5VosC6W) Let's now add all components from "*appmixer"* vendor back with the following rule. ![Updating ACL (components)](/files/-MhmIdfZChlii9eAumaz) When the user refreshes Appmixer now, he or she will see all the Appmixer components back. ![Appmixer components available in the designer](/files/-MhmIsNNx2zS_6KMvOoC) Let's break down those four properties you can set for each ACL rule. {% tabs %} {% tab title="Properties" %} **Role** – admin | user - those are the default roles/scopes in the system. You can also use an email address or a domain. It means you can define ACL(s) for a single users (email address) or for all users from certain email domain. Let's say your company is called *acme* and your employees all have an email address **. Then the domain for ACL rule would be *acme.com*. **Resource** – component type prefix (*appmixer.google.gmail\** for example). This allows to create rules for components belonging to certain vendor, service or module. In the example above we created a rule for all *appmixer* components. The resource string was *appmixer\** which will cover all *appmixer* components. **Action** – action the rule is for. In case of components the only action is *use*. You can keep it to \*. There are more actions when it comes to rules for API routes. **Attributes** – private or non-private. If set to *non-private* the rule will apply to component that do not have `private: true` set in component.json. If set to *private* it will allow users to see private components as well. {% endtab %} {% endtabs %} ### Routes You can define ACLs to restrict access to Flows API. The default setting is similar to the one for Components. All roles can access all actions on *flows* resource. ![ACL (routes) by default](/files/-MhmKj9iiXwXn5ArwJf6) If you want to limit users from certain role, first you need to delete the general rule. We will show it on *user* role. ![Deleting "user" in the ACL (routes)](/files/-MhmKlfFh4AjqFnHj5S4) With this setting, any request to any */flows* endpoint will result in 403 response code. The following example will show you how to limit access to */flows* API for *user* scope to read only operations. ![Read only access to /flows endpoint](/files/-MhmKoCgH4J5Jfk7ZaE2) {% hint style="info" %} Refer to our technical documentation to learn more about the ACL feature: {% endhint %} [Finally, let's have a look at "Services" that helps you register and manage your third-party apps like Slack, Salesforce, Pipedrive and others](/kb/backoffice-features/services.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.appmixer.com/kb/backoffice-features/access-control-list.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.