diff --git a/proto/caosdb/CMakeLists.txt b/proto/caosdb/CMakeLists.txt
index 1ecce675fc50356899436b965fbf2270d821416c..2c820d599a8bcdc05fb3d058123f7e5299f7c3e0 100644
--- a/proto/caosdb/CMakeLists.txt
+++ b/proto/caosdb/CMakeLists.txt
@@ -21,6 +21,7 @@
 set(CAOSDB_API_PACKAGES
     caosdb.info.v1alpha1
     caosdb.entity.v1alpha1
+    caosdb.acm.v1alpha1
     )
 
 # pass variable to parent scope
diff --git a/proto/caosdb/acm/v1alpha1/main.proto b/proto/caosdb/acm/v1alpha1/main.proto
new file mode 100644
index 0000000000000000000000000000000000000000..20e6a324339014cefaffe6338c5db16e7a7cf9d7
--- /dev/null
+++ b/proto/caosdb/acm/v1alpha1/main.proto
@@ -0,0 +1,185 @@
+//
+// This file is a part of the CaosDB Project.
+//
+// Copyright (C) 2021 Timm Fitschen <t.fitschen@indiscale.com>
+// Copyright (C) 2021 IndiScale GmbH <info@indiscale.com>
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program. If not, see <https://www.gnu.org/licenses/>.
+//
+
+// This is the main file of the caosdb.acm.v1alpha1 package.
+syntax                     = "proto3";
+option java_multiple_files = true;
+option java_package        = "org.caosdb.api.acm.v1alpha1";
+
+package caosdb.acm.v1alpha1;
+
+///////////////////////////////////////////
+// COMMON STUFF
+///////////////////////////////////////////
+
+// Client preferences for the paging. The server MUST respect the index
+// property or send the complete result set. The server MAY choose to send a
+// different page length in the response
+message PagingRequest {
+  // Desired index of the first element in the response. The index depends on
+  // the order of the elements in the result set.
+  int32 index = 1;
+  // Desired length of the page in the server response.
+  int32 page_length = 2;
+}
+
+// The actual paging of the response.
+message PagingResponse {
+  // Total numbers of results.
+  int32 total_number = 1;
+  // Index of the first item in the page.
+  int32 current_index = 2;
+}
+
+///////////////////////////////////////////
+// ROLE STUFF
+///////////////////////////////////////////
+
+// Role
+message Role {
+  // Unique name of this role.
+  string name = 1;
+  // Description of the purpose of this role or which group of users this role
+  // represents.
+  string description = 2;
+  // List of string permissions of this role.
+  repeated string string_permissions = 3;
+}
+
+// Request message for the ListRoles RPC
+message ListRolesRequest {
+  // Desired paging settings for the response.
+  PagingRequest paging = 1;
+}
+
+// Response message for the ListRoles RPC
+message ListRolesResponse {
+  // Actual paging setting of the response.
+  PagingResponse paging = 1;
+  // A subset (when paging is used) or the complete set (otherwise) of roles.
+  repeated Role roles = 2;
+}
+
+// Request message for the <+TODO+> RPC
+message CreateSingleRoleRequest {}
+// Response message for the <+TODO+> RPC
+message CreateSingleRoleResponse {}
+// Request message for the <+TODO+> RPC
+message RetrieveSingleRoleRequest {}
+// Response message for the <+TODO+> RPC
+message RetrieveSingleRoleResponse {}
+// Request message for the <+TODO+> RPC
+message UpdateSingleRoleRequest {}
+// Response message for the <+TODO+> RPC
+message UpdateSingleRoleResponse {}
+// Request message for the <+TODO+> RPC
+message DeleteSingleRoleRequest {}
+// Response message for the <+TODO+> RPC
+message DeleteSingleRoleResponse {}
+
+///////////////////////////////////////////
+// USER STUFF
+///////////////////////////////////////////
+
+// User
+message User {
+  // Indicates whether the user is active. Only active users can sign in and
+  // interact with the CaosDB Server.
+  string active = 1;
+  // Realm of this user. The realm is the authority which can authenticate this user, e.g. 'PAM' when the user is a (POSIX) user from the server's host, or 'CaosDB' when CaosDB Server itself can authenticate the user.
+  string realm = 2;
+  // Name of this user.
+  string name = 3;
+  // Email of this user.
+  string email = 4;
+  // The entity which represents this user (e.g. a Person or Device Record).
+  string entity_id = 5;
+  // List of roles of this user.
+  repeated string roles = 6;
+}
+
+// Request message for the ListUsers RPC.
+message ListUsersRequest {
+  // Desired paging settings for the response.
+  PagingRequest paging = 1;
+}
+
+// Response message for the ListUsers RPC.
+message ListUsersResponse {
+  // Actual paging setting of the response.
+  PagingResponse paging = 1;
+  // A subset (when paging is used) or the complete set (otherwise) of known users.
+  repeated User users = 2;
+}
+
+// Request message for the <+TODO+> RPC
+message CreateSingleUserRequest {}
+// Response message for the <+TODO+> RPC
+message CreateSingleUserResponse {}
+// Request message for the <+TODO+> RPC
+message RetrieveSingleUserRequest {}
+// Response message for the <+TODO+> RPC
+message RetrieveSingleUserResponse {}
+// Request message for the <+TODO+> RPC
+message UpdateSingleUserRequest {}
+// Response message for the <+TODO+> RPC
+message UpdateSingleUserResponse {}
+// Request message for the <+TODO+> RPC
+message DeleteSingleUserRequest {}
+// Response message for the <+TODO+> RPC
+message DeleteSingleUserResponse {}
+
+///////////////////////////////////////////
+// SERVICE DEFINITION
+///////////////////////////////////////////
+
+// A service for managing the access to the CaosDB Server via user accounts,
+// roles and permissions.
+service AccessControlManagementService {
+  // Request the list of known users.
+  rpc ListUsers(ListUsersRequest) returns (ListUsersResponse) {};
+
+  // Retrieve a single user
+  rpc RetrieveSingleUser(RetrieveSingleUserRequest) returns (RetrieveSingleUserResponse) {};
+
+  // Create a single new user
+  rpc CreateSingleUser(CreateSingleUserRequest) returns (CreateSingleUserResponse) {};
+
+  // Update a single user
+  rpc UpdateSingleUser(UpdateSingleUserRequest) returns (UpdateSingleUserResponse) {};
+
+  // Delete a single user
+  rpc DeleteSingleUser(DeleteSingleUserRequest) returns (DeleteSingleUserResponse) {};
+
+  // Request the list of roles.
+  rpc ListRoles(ListRolesRequest) returns (ListRolesResponse) {};
+
+  // Retrieve a single role
+  rpc RetrieveSingleRole(RetrieveSingleRoleRequest) returns (RetrieveSingleRoleResponse) {};
+
+  // Create a single new role
+  rpc CreateSingleRole(CreateSingleRoleRequest) returns (CreateSingleRoleResponse) {};
+
+  // Update a single role
+  rpc UpdateSingleRole(UpdateSingleRoleRequest) returns (UpdateSingleRoleResponse) {};
+
+  // Delete a single role
+  rpc DeleteSingleRole(DeleteSingleRoleRequest) returns (DeleteSingleRoleResponse) {};
+}