1) Creating the User with group "someGroup" curl -i -X POST -d "{\"loginName\":\"testUser\",\"fullName\":\"testUser\",\"password\":\"testUser\",\"groups\":[\"someGroup\"]}" -H "Content-Type:application/json" "http://localhost:2113/users/" -u "admin:changeit" > HTTP/1.1 201 Created 2) Creating a Stream curl -i -d "{\"someKey\":\"someData\"}" "http://127.0.0.1:2113/streams/MyDomain" -H "Content-Type:application/json" -H "ES-EventType: Test" -H "ES-EventId: C322E299-CB73-4B47-97C5-5054F920746E" -u "admin:changeit" > HTTP/1.1 201 Created 3) TestUser can't access curl -i -H "Accept:application/vnd.eventstore.atom+json" "http://127.0.0.1:2113/streams/MyDomain" -u "testUser:testUser" > HTTP/1.1 401 Unauthorized 4) Modyfying ACL of stream so TestUser can gain access curl -i --request POST \ --url http://localhost:2113/streams/MyDomain/metadata \ --user "admin:changeit" \ --header 'content-type: application/vnd.eventstore.events+json' \ --data '[{ "eventId": "fa352c43-9647-4096-befc-b23768407ad9", "eventType": "$metadata", "data": { "$acl": { "$w" : "$admins", "$r" : "someGroup", "$d" : "$admins", "$mw" : "$admins", "$mr" : "someGroup" } } }]' > HTTP/1.1 201 Created 5) Test user has access after his group was added to ACL curl -i -H "Accept:application/vnd.eventstore.atom+json" "http://127.0.0.1:2113/streams/MyDomain" -u "testUser:testUser" > HTTP/1.1 200 OK 6) Updating the group of the user curl -i --request PUT \ --url http://localhost:2113/users/testUser \ --user "admin:changeit" \ --header 'content-type: application/json' \ --data '{ "fullName": "testUser", "groups": [ "otherGroup" ] }' > HTTP/1.1 200 OK 7) User has still access eventhough not part of right group anymore! curl -i -H "Accept:application/vnd.eventstore.atom+json" "http://127.0.0.1:2113/streams/MyDomain" -u "testUser:testUser" > HTTP/1.1 200 OK