diff --git a/proto/caosdb/acm/v1alpha1/main.proto b/proto/caosdb/acm/v1alpha1/main.proto
index b5bb1ae04497e4cfb1dfe85c11e540e89a7e3c12..d8446165d8745210f82080fe2133ef906d99f5a6 100644
--- a/proto/caosdb/acm/v1alpha1/main.proto
+++ b/proto/caosdb/acm/v1alpha1/main.proto
@@ -52,6 +52,24 @@ message PagingResponse {
 // PERMISSSION STUFF
 ///////////////////////////////////////////
 
+// TODO
+message ListKnownPermissionsRequest {
+}
+
+// TODO
+message ListKnownPermissionsResponse {
+  // known permissions
+  repeated PermissionDescription permissions = 1;
+}
+
+// TODO
+message PermissionDescription {
+  // The permission
+  string permission = 1;
+  // The description
+  string description = 2;
+}
+
 // PermissionRule
 message PermissionRule {
   // The permission which is being granted oder denied.
@@ -89,7 +107,17 @@ message ListRolesResponse {
   // Actual paging setting of the response.
   PagingResponse paging = 1;
   // A subset (when paging is used) or the complete set (otherwise) of roles.
-  repeated Role roles = 2;
+  repeated ListRoleItem roles = 2;
+}
+
+// Combines role, the role's capabilities and the current users permissions.
+message ListRoleItem {
+  // Role
+  Role role = 1;
+  // The permissions of the user of the current session
+  repeated RolePermissions permissions = 2;
+  // What we can do with this role
+  repeated RoleCapabilities capabilities = 3;
 }
 
 // Request message for the CreateSingleRole RPC
@@ -107,12 +135,42 @@ message RetrieveSingleRoleRequest {
   string name = 1;
 }
 
+// Role Permissions
+enum RolePermissions {
+  // Unspecified permission
+  ROLE_PERMISSIONS_UNSPECIFIED = 0;
+  // Role can be deleted
+  ROLE_PERMISSIONS_DELETE = 1;
+  // Description can be updated
+  ROLE_PERMISSIONS_UPDATE_DESCRIPTION = 2;
+  // Permission rules of this role can be updated
+  ROLE_PERMISSIONS_UPDATE_PERMISSION_RULES = 3;
+  // This role can be assigned
+  ROLE_PERMISSIONS_ASSIGN = 4;
+}
+
+// Role Capabilities
+enum RoleCapabilities {
+  // Unspecified capability
+  ROLE_CAPABILITIES_UNSPECIFIED = 0;
+  // This role is deletable
+  ROLE_CAPABILITIES_DELETE = 1;
+  // This role's permissions can be changed
+  ROLE_CAPABILITIES_UPDATE_PERMISSION_RULES = 2;
+  // This role can be assigned to a user
+  ROLE_CAPABILITIES_ASSIGN = 3;
+}
+
 // Response message for the RetrieveSingleRole RPC
 message RetrieveSingleRoleResponse {
   // The role.
   Role role = 1;
   // Known users with this role
   repeated User users = 2;
+  // The permissions of the user of the current session
+  repeated RolePermissions permissions = 3;
+  // What we can do with this role
+  repeated RoleCapabilities capabilities = 4;
 }
 
 // Request message for the UpdateSingleRole RPC
@@ -146,6 +204,18 @@ enum UserStatus {
   USER_STATUS_ACTIVE = 2;
 }
 
+// EmailSetting - it is handy to have this as a separate message b/c otherwise we could not distinguish between empty string and unset email.
+message EmailSetting {
+  // The email adress
+  string email = 1;
+}
+
+// EntitySetting - it is handy to have this as a separate message b/c otherwise we could not distinguish between empty string and unset email.
+message EntitySetting {
+  // The entity which represents this user (e.g. a Person or Device Record).
+  string entity_id = 1;
+}
+
 // User
 message User {
   // Indicates whether the user is active. Only active users can sign in and
@@ -157,10 +227,10 @@ message User {
   string realm = 2;
   // Name of this user.
   string name = 3;
-  // Email of this user.
-  string email = 4;
-  // The entity which represents this user (e.g. a Person or Device Record).
-  string entity_id = 5;
+  // Email setting of this user.
+  EmailSetting email_setting = 4;
+  // Entity setting of this user.
+  EntitySetting entity_setting = 5;
   // List of roles of this user.
   repeated string roles = 6;
 }
@@ -199,10 +269,42 @@ message RetrieveSingleUserRequest {
   string name = 2;
 }
 
+// Permissions for updating and deleting a user.
+enum UserPermissions {
+  // Unspecified permission
+  USER_PERMISSIONS_UNSPECIFIED = 0;
+  // The user can be deleted.
+  USER_PERMISSIONS_DELETE = 1;
+  // The password of the user can be updated.
+  USER_PERMISSIONS_UPDATE_PASSWORD = 2;
+  // The email of the user can be updated.
+  USER_PERMISSIONS_UPDATE_EMAIL = 3;
+  // The status (active/inactive) of the user can be changed.
+  USER_PERMISSIONS_UPDATE_STATUS = 4;
+  // The roles of the user can be altered.
+  USER_PERMISSIONS_UPDATE_ROLES = 5;
+  // Ths entity of the user can be set.
+  USER_PERMISSIONS_UPDATE_ENTITY = 6;
+}
+
+// What we can do with a user (generally speaking, if permissions suffice).
+enum UserCapabilities {
+  // Unspecified capability
+  USER_CAPABILITIES_UNSPECIFIED = 0;
+  // User can be deleted.
+  USER_CAPABILITIES_DELETE = 1;
+  // The user's password can be updated.
+  USER_CAPABILITIES_UPDATE_PASSWORD = 2;
+}
+
 // Response message for the RetrieveSingleUser RPC
 message RetrieveSingleUserResponse {
   // The user
   User user = 1;
+  // The permissions of the user of the current session.
+  repeated UserPermissions permissions = 2;
+  // What we can do with this user
+  repeated UserCapabilities capabilities = 3;
 }
 
 // Request message for the UpdateSingleUser RPC
@@ -271,4 +373,8 @@ service AccessControlManagementService {
   // Delete a single role
   rpc DeleteSingleRole(DeleteSingleRoleRequest)
       returns (DeleteSingleRoleResponse) {};
+
+  // List all known permissions
+  rpc ListKnownPermissions(ListKnownPermissionsRequest)
+      returns (ListKnownPermissionsResponse) {};
 }
diff --git a/proto/caosdb/entity/v1/main.proto b/proto/caosdb/entity/v1/main.proto
index dd5b0b28bc03d0b5debb5a7bc4b4ced0cee67557..543eb491a3673ce6e09f4bc32849c0403f5e16d8 100644
--- a/proto/caosdb/entity/v1/main.proto
+++ b/proto/caosdb/entity/v1/main.proto
@@ -691,11 +691,65 @@ message MultiTransactionResponse {
   repeated Message transaction_infos = 4;
 }
 
+// Request of the MultiRetrieveEntityACL rpc
+message MultiRetrieveEntityACLRequest {
+  // The requested entity ids.
+  repeated string id = 1;
+}
+
+// Response of the MultiRetrieveEntityACL rpc
+message MultiRetrieveEntityACLResponse {
+  // The entities ACLs
+  repeated EntityACL acls = 1;
+}
+
+// Request of the MultiUpdateEntityACL rpc
+message MultiUpdateEntityACLRequest {
+  // The requested entity ids.
+  repeated EntityACL acls = 1;
+}
+
+// Response of the MultiUpdateEntityACL rpc
+message MultiUpdateEntityACLResponse {
+}
+
+// Entity Access Controll List (ACL)
+message EntityACL {
+  // The entity id
+  string id = 1;
+  // The rules which make up the ACL
+  repeated EntityPermissionRule rules = 2;
+}
+
+// Permission rules for Entity ACL
+message EntityPermissionRule {
+  // The role for which this rule applies
+  string role = 1;
+  // Is priority?
+  bool priority = 2;
+  // Is grant?
+  bool grant = 3;
+  // permissions
+  repeated EntityPermission permissions = 4;
+}
+
+// TODO replace by enum
+message EntityPermission {
+  // name of the permission
+  string name = 1;
+}
+
 // Entity Transaction Service
 service EntityTransactionService {
   // Issue multiple mixed requests
   rpc MultiTransaction(MultiTransactionRequest)
       returns (MultiTransactionResponse);
+  // Request the Entity ACLs
+  rpc MultiRetrieveEntityACL(MultiRetrieveEntityACLRequest)
+      returns (MultiRetrieveEntityACLResponse);
+  // Set the Entity ACLs,
+  rpc MultiUpdateEntityACL(MultiUpdateEntityACLRequest)
+      returns (MultiUpdateEntityACLResponse);
 }
 
 ///////////////////////////////////////////////////////////////////////////