diff --git a/src/main/java/org/caosdb/server/transaction/WriteTransaction.java b/src/main/java/org/caosdb/server/transaction/WriteTransaction.java
index abda78b6feeb0de7104de5365877b28d474058fe..87e15e9226c4b40c70630a25ee98c88b65bfcd44 100644
--- a/src/main/java/org/caosdb/server/transaction/WriteTransaction.java
+++ b/src/main/java/org/caosdb/server/transaction/WriteTransaction.java
@@ -215,13 +215,7 @@ public class WriteTransaction extends Transaction<WritableContainer>
                     .setFile(oldEntity.getFileProperties().retrieveFromFileSystem());
               }
 
-              try {
-                checkPermissions(entity, deriveUpdate(entity, oldEntity));
-              } catch (final AuthorizationException exc) {
-                entity.setEntityStatus(EntityStatus.UNQUALIFIED);
-                entity.addError(ServerMessages.AUTHORIZATION_ERROR);
-                entity.addInfo(exc.getMessage());
-              }
+              ((UpdateEntity) entity).setOriginal(oldEntity);
             }
             break innerLoop;
           }
@@ -290,6 +284,16 @@ public class WriteTransaction extends Transaction<WritableContainer>
   @Override
   protected void preCheck() throws InterruptedException, Exception {
     for (final EntityInterface entity : getContainer()) {
+      try {
+        checkPermissions(entity, deriveUpdate(entity, ((UpdateEntity) entity).getOriginal()));
+      } catch (final AuthorizationException exc) {
+        entity.setEntityStatus(EntityStatus.UNQUALIFIED);
+        entity.addError(ServerMessages.AUTHORIZATION_ERROR);
+        entity.addInfo(exc.getMessage());
+      } catch (ClassCastException exc) {
+        // not an update entity. ignore.
+      }
+
       // set default EntityACL if none present
       if (entity.getEntityACL() == null) {
         entity.setEntityACL(EntityACL.getOwnerACLFor(SecurityUtils.getSubject()));
@@ -373,6 +377,21 @@ public class WriteTransaction extends Transaction<WritableContainer>
       newEntity.setEntityACL(oldEntity.getEntityACL());
     }
 
+    // new acl?
+    if (newEntity.hasEntityACL() && !newEntity.getEntityACL().equals(oldEntity.getEntityACL())) {
+      oldEntity.checkPermission(EntityPermission.EDIT_ACL);
+      if (!newEntity
+          .getEntityACL()
+          .getPriorityEntityACL()
+          .equals(oldEntity.getEntityACL().getPriorityEntityACL())) {
+        // priority acl is to be changed?
+        oldEntity.checkPermission(Permission.EDIT_PRIORITY_ACL);
+      }
+      updatetable = true;
+    } else if (!newEntity.hasEntityACL()) {
+      newEntity.setEntityACL(oldEntity.getEntityACL());
+    }
+
     // new query template definition?
     if (!Objects.equals(
         newEntity.getQueryTemplateDefinition(), oldEntity.getQueryTemplateDefinition())) {