Defining ACLs for a type except for one extension


I have ACLs defined for Organization, but I specifically want to have them disabled for one type that extends Organization. Is this possible?


Can you modify your ACL expression? if so then you can use the typeIdent to condition the application of your ACL:

  • grant everyone with at least DefaultAccessRole to see instances of your target type,
  • otherwise apply the original expression to allow only users with permissions to see instances of other types.


      "id": "organization_privileges",
      "name": "Organization AclPriviledge",
      "typeName": "Organization",
      "canUpdate": "true",
      "canRemove": "false",
      "canModifyAcl": "false",
      "acl": {
        "expr": "typeIdent=='<excluded-type-ident>'? DefaultAccessRole : <original-expression>"

Alternatively, you should be able to directly disable ACLs on your type with EnableAclPrivilege, e.g. seed/EnableAclPrivilege/TypeExtendingOrganization_acl_controlled.json

    "enabled" : false,
    "id" : "TypeExtendingOrganization_acl_controlled",
    "name" : "TypeExtendingOrganization Acl Controlled",
    "typeName" : "TypeExtendingOrganization"


I would suggest a modified version of the above to create a specific AclPrivilege for the type that you don’t want acls on and give access to everyone in that. I would not suggest having an EnableAclPrivilege to turn it off on that type.