diff --git a/proto/caosdb/entity/v1/main.proto b/proto/caosdb/entity/v1/main.proto
index 543eb491a3673ce6e09f4bc32849c0403f5e16d8..c2ebde9667643878d0992c78323626635dc11af1 100644
--- a/proto/caosdb/entity/v1/main.proto
+++ b/proto/caosdb/entity/v1/main.proto
@@ -719,6 +719,10 @@ message EntityACL {
   string id = 1;
   // The rules which make up the ACL
   repeated EntityPermissionRule rules = 2;
+  // relevant permissions of the current session, e.g. if the current user is
+  // allowed to update the ACL. This is read-only and will be ignored by the
+  // server.
+  repeated EntityPermission permissions = 3;
 }
 
 // Permission rules for Entity ACL
@@ -731,6 +735,16 @@ message EntityPermissionRule {
   bool grant = 3;
   // permissions
   repeated EntityPermission permissions = 4;
+  // capabilities
+  repeated EntityPermissionRuleCapability capabilities = 5;
+}
+
+// What (given enough permissions) can be done with an EntityPermissionRule. E.g. globel entity permission rules, which are to be specified in a configuration file cannot be deleted, thus they are missing the ENTITY_PERMISSION_RULE_CAPABILITY_DELETE capability.
+enum EntityPermissionRuleCapability {
+  // Unspecified capability.
+  ENTITY_PERMISSION_RULE_CAPABILITY_UNSPECIFIED = 0;
+  // This permission rule can be deleted/removed from the ACL
+  ENTITY_PERMISSION_RULE_CAPABILITY_DELETE = 1;
 }
 
 // TODO replace by enum