# ACLs This API allows you to manage Kafka ACLs (Access Control Lists) for your WarpStream virtual clusters. ACL rules are only *enforced* on Kafka traffic once ACLs are [enabled on the virtual cluster](https://docs.warpstream.com/warpstream/kafka/manage-security/configure-acls#enabling-and-disabling-acls). This lets you set up your ACL rules before turning on enforcement. You can enable ACLs via the [UpdateConfiguration](https://docs.warpstream.com/warpstream/reference/api-reference/virtual-clusters/updateconfiguration) endpoint by setting `are_acls_enabled` to `true`. For general information about ACLs in WarpStream, including principals, super users, and caching behavior, see the [ACLs guide](https://docs.warpstream.com/warpstream/kafka/manage-security/configure-acls). ## ACL Fields Each ACL rule consists of the following fields: | Field | Description | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `resource_type` | The type of Kafka resource. One of: `TOPIC`, `GROUP`, `CLUSTER`, `TRANSACTIONAL_ID`, `DELEGATION_TOKEN`, `ANY`. | | `resource_name` | The name of the resource (e.g., topic name, consumer group name). For `CLUSTER` resources, use `kafka-cluster`. | | `pattern_type` | How the resource name is matched. One of: `LITERAL` (exact match), `PREFIXED` (prefix match). | | `principal` | The user principal in the format `User:`. See [ACL Principals](https://docs.warpstream.com/warpstream/kafka/manage-security/configure-acls#acl-principal) for details. | | `host` | The client host. Use `*` to allow all hosts. | | `operation` | The Kafka operation. One of: `ALL`, `READ`, `WRITE`, `CREATE`, `DELETE`, `ALTER`, `DESCRIBE`, `CLUSTER_ACTION`, `DESCRIBE_CONFIGS`, `ALTER_CONFIGS`, `IDEMPOTENT_WRITE`. | | `permission_type` | Whether to allow or deny the operation. One of: `ALLOW`, `DENY`. |