Projection stream ACLs


I’m in the process of evaluating EventStore for one of our systems at work, and I’m doing some experiments on securing an installation so that an authenticated, valid user is required to read from any stream.

This is working as expected after I’ve set the userStreamAcl and systemStreamAcl properties on the $settings stream, but I’m noticing that streams created by a projection (namely $by_event_type) are by default set to “$r”: “$all” and “$mr”: “$all”. I’ve been looking around in both the web UI and via the Projection REST API, but I can’t seem to find a way to define what ACLs to apply on newly created streams.

The actual contents of the events are sort of still unavailable since you can’t follow the links within the projection-generated stream events without the correct username and password, but I’d like the streams created by this projection to inherit from the $settings ACLs if possible.

Have I missed something very obvious here, or is this intended behaviour? My current $settings ACL properties are as such:

“$userStreamAcl”: {
“$r”: “testuser”,
“$w”: “testuser”,
“$d”: “testuser”,
“$mr”: “testuser”,
“$mw”: “testuser”
“$systemStreamAcl”: {
“$r”: “$admins”,
“$w”: “$admins”,
“$d”: “$admins”,
“$mr”: “$admins”,
“$mw”: “$admins”



  • Trond