Access Control List

Access Control List is a list of permissions associated with a system resource. In the case of Appmixer, these resources are components and routes.

  • Components – this resource allows you to control access to certain components

  • Routes – this resource helps you define ACLs to restrict access to Flows API

By default, all users have access to all components and routes.


Using Appmixer ACL feature you can control access to certain components. All of that can be configured from Backoffice or through the API.

To demonstrate how this resource works, let's say we delete "user" in the components resource.

If an ordinary user opens Appmixer, he or she will see no components in the drag&drop designer.

Let's now add all components from "appmixer" vendor back with the following rule.

When the user refreshes Appmixer now, he or she will see all the Appmixer components back.

Let's break down those four properties you can set for each ACL rule.

Role – admin | user - those are the default roles/scopes in the system. You can also use an email address or a domain. It means you can define ACL(s) for a single users (email address) or for all users from certain email domain. Let's say your company is called acme and your employees all have an email address Then the domain for ACL rule would be

Resource – component type prefix (* for example). This allows to create rules for components belonging to certain vendor, service or module. In the example above we created a rule for all appmixer components. The resource string was appmixer* which will cover all appmixer components.

Action – action the rule is for. In case of components the only action is use. You can keep it to *. There are more actions when it comes to rules for API routes.

Attributes – private or non-private. If set to non-private the rule will apply to component that do not have private: true set in component.json. If set to private it will allow users to see private components as well.


You can define ACLs to restrict access to Flows API. The default setting is similar to the one for Components. All roles can access all actions on flows resource.

If you want to limit users from certain role, first you need to delete the general rule. We will show it on user role.

With this setting, any request to any /flows endpoint will result in 403 response code. The following example will show you how to limit access to /flows API for user scope to read only operations.

Refer to our technical documentation to learn more about the ACL feature:

Finally, let's have a look at "Services" that helps you register and manage your third-party apps like Slack, Salesforce, Pipedrive and others.

Last updated