content/operate/rc/security/access-control/data-access-control/configure-acls.md
You can define custom Redis ACL rules to assign to a data access role or use predefined Redis ACLs.
Redis provides three predefined ACL rules, which are marked with the Redis logo and can not be changed:
ACLs that are not marked with the Redis logo are user-defined ACL rules.
To configure a Redis ACL that you can assign to a data access role:
Go to Data Access Control from the Redis Cloud console menu.
{{<image filename="images/rc/data-access-control-menu.png" width="200px" alt="Menu for database access control." >}}
Select the Redis ACLs tab.
{{<image filename="images/rc/data-access-control-redis-acls.png" alt="Redis ACLs area." >}}
Either select + to create a new Redis ACL or point to an existing ACL and select the pencil icon to edit it.
{{<image filename="images/rc/data-access-control-redis-acls-add-or-update.png" width="400px" alt="Add or Update Redis ACL." >}}
{{< note >}}The built-in Redis ACLs can't be edited.{{< /note >}}
Provide a descriptive name and create the ACL rule using ACL syntax.
{{<image filename="images/rc/data-access-control-redis-acls-add.png" alt="Add Redis ACL." >}}
Select the check mark to save your changes. Your new Redis ACL should appear in the list.
{{<image filename="images/rc/data-access-control-redis-acls-saved.png" alt="Saved Redis ACL." >}}
After you create a Redis ACL, you can assign it to a role. Redis ACLs are not fully verified until they are assigned to a role. For more information, see [Create roles]({{< relref "/operate/rc/security/access-control/data-access-control/create-roles" >}}) or [Active-Active access roles]({{< relref "/operate/rc/security/access-control/data-access-control/active-active-roles" >}}) for an [Active-Active database]({{< relref "/operate/rc/databases/active-active" >}}).
You can define these permissions using the [Redis ACL syntax]({{< relref "/operate/oss_and_stack/management/security/acl" >}}#acl-rules). This syntax lets you concisely specify which commands, command categories, keys, and pub/sub channels to allow.
+ includes commands or command categories- excludes commands or command categories@ indicates a command category~ defines a permitted key pattern& allows access to a [pub/sub channel]({{< relref "/develop/pubsub" >}})The Redis Cloud console will validate your ACL syntax while you are typing.
A command can be any [Redis command]({{< relref "/commands" >}}).
For example, this Redis ACL rule indicates that the SET command is permitted:
+set
A [command category]({{< relref "/operate/oss_and_stack/management/security/acl" >}}#command-categories) is a predefined, named set of commands.
For example, the Redis commands that
read data are available in the read command category. This Redis ACL rule permits access to all read commands:
+@read
To find out which commands are included in the
read command category, run the following command with [redis-cli]({{< relref "/operate/rs/references/cli-utilities/redis-cli" >}}):
ACL CAT read
To specify which keys are accessible, use the [key permissions syntax]({{< relref "/operate/oss_and_stack/management/security/acl" >}}#key-permissions).
The following ACL rule allows access to all keys:
~*
Whereas, this ACL rule only allows access to keys prefixed with cache:
~cache:*
Starting with Redis 7.0, key patterns can also be used to define how a command is able to read or write a key.
The following ACL rule allows you to copy information from keys prefixed with cache: into keys prefixed with app::
+@all ~app:* %R~cache:*
For more information on how this works, see the [key permissions syntax]({{< relref "/operate/oss_and_stack/management/security/acl" >}}#key-permissions).
Pub/sub ACL rules determine which pub/sub channels a user can access. For more information see, [Redis pub/sub]({{< relref "/develop/pubsub" >}})
For versions older than Redis 7.0, pub/sub is permissive and allows access to all channels by default.
Redis 7.0 makes pub/sub restrictive and blocks access to all channels in Redis Software. However, Redis Cloud still defaults to permissive pub/sub even for Redis 7.0 subscriptions.
| Redis version | Redis Open Source pub/sub ACLs | Redis Cloud pub/sub ACLs | |:-------------:|-----------|-------------| | 6.0 | Not supported | Not supported | | 6.2 | Permissive | Permissive | | 7.0 | Restrictive | Permissive |
To block access to all channels, use the following ACL rule:
resetchannels
If you want to limit access to specific channels, first include resetchannels. Then use & syntax to allow access to particular channels:
resetchannels &channel1 &channel2
To make pub/sub explicitly permissive and allow users to access all channels, set the following rule:
allchannels
Starting with Redis 7.0, Redis supports adding multiple sets of rules that are evaluated independently of each other, called [selectors]({{< relref "/operate/oss_and_stack/management/security/acl" >}}#selectors).
The following ACL rule allows a user to execute GET on keys prefixed with cache and SET on keys prefixed with app:
+GET ~cache:* (+SET ~app:*)
Redis Cloud includes three predefined permissions:
Full-Access (+@all ~*) - All commands are allowed for all keys.
Read-Write (+@all -@dangerous ~*) - All commands except for the dangerous command category are allowed for all keys.
Read-Only (+@read ~*) - Only the read command category is allowed for all keys.
Note that you can define permissions for the Redis commands of any advanced capabilities that are part of your subscription; however, these permissions can only be used for databases that support those capabilities.