# ACLs - Access Controls

Easily manage network access with the new Netmaker ACLs

{% embed url="<https://www.youtube.com/watch?v=nEQfMd3-o1w>" %}

With the latest **ACL feature** in Netmaker, managing network access has never been easier. This powerful addition allows network administrators to control communication between devices by defining policies that restrict or allow access.

## What is an ACL?

An **Access Control List (ACL)** is a set of rules that specify which users or devices are allowed or denied communication within a network. ACLs are used by network administrators to control traffic flow, ensuring that only authorized entities can access or interact with certain network resources, enhancing overall network security.

There are two main types of ACL policies: **User Policies** and **Resource Policies**

### User Policies

This type of policy controls **which users** can access or interact with specific network devices (e.g., servers, databases, gateways). It ensures that only authorized users have permission to access sensitive devices or services.

![](https://1465744049-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqMcN3gvfPLhO0hh4agC%2Fuploads%2FpTcVF7gbqSzfxrnbzzKd%2Fac1.png?alt=media\&token=0484e42a-24c9-46fa-b020-4650b0d388c1)

Example: Grant access to a **DevOps team** for database servers while restricting other teams' access to the same resources. This ensures only authorized users can access sensitive resources, improving network security.

### Resource Policies

This policy controls **which devices** (like servers, web applications, databases, or gateways) can communicate with each other. It restricts or permits communication between devices based on the network's security needs.

![](https://1465744049-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqMcN3gvfPLhO0hh4agC%2Fuploads%2F2JwhhQA5xbGE9ZF3IdQM%2Fac2.png?alt=media\&token=70130c3c-9d8b-4b04-90bf-0bf55a4e23e8)

Example: A web server might be allowed to communicate with a database server but blocked from connecting to other devices, such as file storage servers or printers. This limits unnecessary or unauthorized traffic between devices, enhancing network security and performance.

## Default Policies

The **Default Policies** are automatically generated whenever a new network is created, enabling unrestricted two-way communication between users and resources, as well as between resources themselves. These policies ensure full connectivity during the initial setup.

<figure><img src="https://1465744049-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqMcN3gvfPLhO0hh4agC%2Fuploads%2FmWxad2kqTCChuGRbrBPH%2Fac3.png?alt=media&#x26;token=d299912f-9b1a-46aa-91ed-53084012a9ef" alt=""><figcaption></figcaption></figure>

1. **All Nodes**: Enables all resources (e.g., servers, gateways) to communicate freely with one another in both directions.
2. **All Remote Access Gateways**: Allows remote access gateways (`remote-access-gws`) to communicate with all resources **and vice versa**.
3. **All Users**: Grants all users full access to all resources, ensuring open two-way communication.
4. **Network Admin**: Grants users in the `netmaker Admin Group` and the `All Networks Admin Group` full two-way communication with the remote access gateways (`remote-access-gws`) and associated resources.
5. **Network User**: Grants users in the `netmaker User Group` and the `All Networks User Group` unrestricted access to remote access gateways (`remote-access-gws`) and associated resources in both directions.

### How to Add ACLs in Netmaker <a href="#how-to-add-acls-in-netmaker" id="how-to-add-acls-in-netmaker"></a>

Once you're in the ACL tab, you'll see a list of all the ACLs for the entire network. From here, you can enable or disable any ACL. And if you want to add a new policy, just click on **Add Policy**.

<figure><img src="https://1465744049-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqMcN3gvfPLhO0hh4agC%2Fuploads%2FKtncVCK0G21j4yYzrCXj%2Fac5.png?alt=media&#x26;token=23ef1d8a-5e41-44ce-ba92-c06dad8de48b" alt=""><figcaption></figcaption></figure>

Here, you can define a custom rule by specifying:

* **Policy For**: Choose whether the policy applies to resources (controlling device access) or users (managing user permissions).
* **Rule Name**: Give the rule a clear name, like "api-gateway-access" or “devops-team”
* **Source and Destination**: Select the source and destination entities to control which nodes can communicate. [Tags](https://docs.netmaker.io/docs/features/tag-management-pro) are available to help group nodes and apply rules more efficiently.
* **Enable Policy**: Toggle this switch to activate or deactivate the policy.

Once configured, click **Save Policy** to apply the policy.

To enable communication between peers in the **same group**, add the **group** to both the **Source** and **Destination** fields.

### How to Update ACLs in Netmaker <a href="#how-to-update-acls-in-netmaker" id="how-to-update-acls-in-netmaker"></a>

Identify the ACL policy you want to update, click on the three dots, and choose the "Edit" option

<figure><img src="https://1465744049-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqMcN3gvfPLhO0hh4agC%2Fuploads%2FO1muHUFhG7wt1Dfeyvsy%2Fac6.png?alt=media&#x26;token=245ed01c-4d7f-4e00-af7b-530afafbd1e6" alt=""><figcaption></figcaption></figure>

After selecting "Edit," make the necessary adjustments to the ACL policy settings based on your requirements.

<figure><img src="https://1465744049-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqMcN3gvfPLhO0hh4agC%2Fuploads%2F8BQpQMufdkudiPdLOuWJ%2Fac7.png?alt=media&#x26;token=bc4fbcef-a864-444d-9e6e-954b6752d9ed" alt=""><figcaption></figcaption></figure>

### How to Remove ACLs in Netmaker <a href="#how-to-remove-acls-in-netmaker" id="how-to-remove-acls-in-netmaker"></a>

Identify the ACL policy you want to remove, hover over the three dots, and select the "Remove" option.

<figure><img src="https://1465744049-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqMcN3gvfPLhO0hh4agC%2Fuploads%2F2hNYTj2kHKVKsDK78Al2%2Fac8.png?alt=media&#x26;token=3eb00580-936e-44cc-b470-d40e847e42f4" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://learn.netmaker.io/features/acls-access-controls.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.