ACL ignored when reading system stream.


I’m having a weird issue with ACL when reading a $by-category projection, (in my case it’s called $ce-user). I created a user toto and wrote

$ce-user stream metadata so toto user can read it.

I got the following stream metadata from the UI

  "$cacheControl": null,
  "$acl": {
    "$d": [],
    "$w": [],
    "$mr": [],
    "$r": [
    "$mw": []
  "$tb": null,
  "$maxCount": null,
  "$maxAge": null


When I try to read $ce-user stream, I always have Access denied error.

All system projections are enabled and running.

server version:

I’m using the TCP interface through my Haskell client.

Does someone know what is going on?

Thanks for your help.


I also want to mention that $ce-user stream isn’t empty, the stream has a few events. It’s a fresh db so I can have a minimal reproducible use case.

Setting the ACL on the projection doesn’t do anything useful in my experience.

You must instead set the ACL on the underlying streams of the projection.

If the stream User-123456 has an ACL-Setting that doesn’t allow toto to read the stream then this will apply, the ACL of the projection doesn’t override that.

All underlying streams are user-defined streams, so those come with a $all role on read. No need to do anything here.