Aces and principals are the default “permissions” system constructed into fxserver. It’s very straightforward to make use of, so long as you understand the fundamentals and also you simply begin making an attempt out some stuff.

It’s additionally very straightforward to make use of this from inside assets. Simply use ExecuteCommand() so as to add/take away aces or principals, and use IsPlayerAceAllowed() to examine if a participant is allowed entry to an ace (both instantly or through inherited permissions).


Let’s begin by looking at what a Principal is, and the way you should utilize it in essentially the most simplistic method.
Principals are identifiers that maintain permissions (aces). These identifiers can both be participant identifiers (ip, steam or license), or they are often made up identifiers (like: group.admin, group.moderator, vip or snail).

Command syntax

The command used so as to add identifiers has the next syntax:

# Provides the kid principal to the mum or dad principal.
add_principal <child_identifier> <parent_identifier>

# Removes the kid principal from the mum or dad principal.
remove_principal <child_identifier> <parent_identifier>


Let’s say we’ve 2 gamers. “Participant A” and “Participant B”. We’ll assume that their (pretend) identifiers are: participant:a and participant:b. We even have 2 teams, that are recognized by: snail and group.admin.
So as to add “Participant A” to the “snail” group, you should utilize the next command within the server console:

add_principal identifier.participant:a snail

Now, all aces that get added to the “snail” group, will routinely be set for identifier.participant:a (so “Participant A”).


Principals can even inherit from different principals. For instance, if we would like the “group.admin” group to additionally get all permissions from the “snail” group, you’d do that:

add_principal group.admin snail

NOTE There is a vital catch with utilizing inheritance, which might be defined within the Aces part.


The builtin.everybody principal is a “group” that each single participant is in. This implies, when you enable builtin.everybody a selected ace, everybody may have that ace as allowed.
Even when you add somebody to a selected group/principal, they are going to nonetheless all the time inherit all permissions from builtin.everybody.

At this level, the inheritance tree ought to look one thing like this:

builtin.everybody # (international mum or dad of every thing)
| .... snail # (mum or dad & baby)
|       |
| ....  +---- group.admin # (baby, has all "snail" permissions)
|       |
| ....  +--- identifier.participant:a # (baby, has all "snail" permissions)


Aces will be seen as a “permission node”, which may both be allowed or denied.
By default, all aces are set to unset aka deny. Which implies, that when you had been to examine for an ace that was not setup, it would return false (deny).

The default unset worth will be overwritten by (manually) setting it to both deny or enable. Setting one thing to deny will truly set it to DENY-ALWAYS. Which implies, it could NOT be overwritten by one thing like mum or dad principals. Setting it to enable will grant the ace and can also be NOT capable of be overwritten by mum or dad principals. Principally it’s only a fist come first serve precept, the primary permission to be set, can’t be overwritten by setting it to the other state after setting the primary state.

Ace-command syntax

# Provides the ace to the principal, and both "permits" or "denies" it.
add_ace <principal_identifier> <ace_string> <enable|deny>

# Removes the ace from the principal, observe it solely removes the "enable" or "deny" ace, relying on whichever one you choose.
remove_ace <principal_identifier> <ace_string> <enable|deny>

As an example this, check out the next instance:


Let’s take Participant A and Participant B, snail and group.admin principals from the earlier instance.
Within the earlier instance, we added PLayer A to the snail group, and we additionally set the group.admin group to inherit every thing from the snail principal (group)
Let’s say that Participant B has been added to the group.admin principal. (add_principal identifier.participant:b group.admin)

At this level, the inheritance tree appears to be like like this:

builtin.everybody # (international mum or dad of every thing)
| .... snail # (mum or dad & baby)
|       |
| ....  +---- group.admin # (mum or dad & baby, has all "snail" permissions)
|       |       |
| ....  |  ...  +--- identifier.participant:b # (baby, has all "group.admin" AND all "snail" permissions)
|       |
| ....  +--- identifier.participant:a # (baby, has all "snail" permissions)

If we wish to give Participant B the ace, we 4 choices to take action on this present setup.

  1. Add the ace to builtin.everybody
  2. Add the ace to snail
  3. Add the ace to group.admin
  4. Add the ace on to identifier.participant:b

Nevertheless, we most likely solely wish to add it to the third or 4th possibility. As a result of including it to 1 will grant it to everybody, and we don’t need that, and including it to possibility 2 will enable everybody within the snail group to make use of it, which can also be not what we would like on this case.

So so as to add the ace to the group.admin principal, we’d do one thing like this:

add_ace group.admin "" enable

The group.admin principal, and all of it’s baby principals (on this case, identifier.participant:b), now have entry to the ace.


After all, aces have wildcards!
So, let’s say we wish to give Participant A permission to each*** ace, as a result of Participant A is .cool, .superior and .snailsome as effectively. Then we will merely add the ace to identifier.participant:a, now participant a has each*** ace.

add_ace identifier.participant:a "" enable
# Participant a is now: cool, superior and snailsome!

Participant B nevertheless, continues to be solely cool. Let’s make Participant B snailsome as effectively, as a result of they’re a part of the snail group in any case. However we DON’T wish to give them the ace. On this case, we may merely add the ace to both the group.admin or identifier.participant:b principals, however we’re going to do it barely completely different, simply because WE CAN. So how are we going to do it you could ask? Effectively similar to this:

add_ace group.admin "" deny
add_ace group.admin "" enable
# Participant b is now: cool & snailsome however NOT superior!

Discover how we set the deny for the first, and then we set the wildcard to permit. Keep in mind what we stated in regards to the first come first serve precept?
Now, group.admin (and thus Participant B) has entry to all states and EXCEPT for one, which is the ace, as a result of we set that to disclaim FIRST.

To summarize every thing above, right here’s a fast overview of all instructions + 2 instructions that aren’t listed above.

Command Syntax Description
add_ace <principal_identifier> <ace_name> <enable/deny> Units the ace for the required principal identifier to both enable or deny.
removes_ace <principal_identifier> <ace_name> <enable/deny> Removes both the enable or deny ace for that principal.
add_principal <child_principal> <parent_principal> Provides the kid principal to the mum or dad principal, giving the kid all aces of the mum or dad principal.
remove_principal <child_principal> <parent_principal> Removes the kid principal from the required mum or dad principal (revoking all beforehand inherited permissions).
Bonus instructions
list_aces Will present a listing of all aces, for every principal identifier and present’s the granted standing (enable, deny(/unset) or deny-always)
list_principals Will present a listing of all principals (baby > mum or dad)

Looking for a FiveM Server host? Click here