Client area
ACE Permissions on FiveM: The Complete Guide to Securing Your Server
Managing who can do what on a FiveM server is the foundation of any serious project. Granting admin rights to anyone or leaving sensitive commands accessible to all is the best way to see your server go off the rails.
The ACE (Access Control Entry) system is the native permissions system of FiveM. It allows you to create groups (admin, moderator, police, VIP…), assign them specific rights, and manage everything hierarchically. In this guide, we will review everything you need to know to configure your permissions properly.
What exactly is the ACE system?
ACE is the integrated permissions system in FiveM. It allows you to:
- Control access to commands and features
- Create groups with different levels of rights
- Manage permissions hierarchically (an admin inherits the rights of a moderator, etc.)
- Secure sensitive resources and commands
Everything is configured in your server.cfg file.
The three concepts to understand
Before diving into the configuration, you need to understand three essential concepts.
1. The Principal (the identity)
This identifies a player or a group. It can be:
identifier.steam:110000xxxxxx # Steam ID
identifier.license:xxxxxx # Rockstar License
identifier.discord:xxxxxx # Discord ID
identifier.fivem:xxxxxx # FiveM ID
group.admin # A group
2. The ACE (the permission)
This is the right you grant or deny:
command.kick # Permission to kick
command.ban # Permission to ban
resource.admin_menu # Access to a specific resource
3. Allow / Deny
You allow (allow) or deny (deny) the permission.
Inheritance between groups
This is what makes the ACE system really practical. A group can inherit permissions from another group.
For example, if you have this hierarchy:
superadmin → admin → moderator → support
A superadmin automatically has all the permissions of an admin, who has all those of a moderator, and so on. You don’t need to copy the same permissions everywhere.
FiveM processes permissions in this order:
- Player-specific permissions (identifier)
- Group permissions (group)
- Inherited permissions
The basic syntax
Everything happens in your server.cfg. Here are the essential commands:
# Grant a permission to a group or player
add_ace <principal> <permission> <allow/deny>
# Add a player to a group
add_principal <identifier> <group>
# Make a group inherit from another
add_ace group.admin group.moderator allow
Simple configuration: one admin
If you are just starting and want to give yourself admin rights, here’s the minimum:
# Create the admin group with all commands
add_ace group.admin command allow
# Add yourself to the admin group (replace with your Steam ID)
add_principal identifier.steam:110000xxxxxx group.admin
With this, you have access to all commands. Simple, but not very refined in terms of rights management.
Complete configuration: hierarchical structure
Here’s a more serious configuration with multiple levels of permissions:
####################################
# GLOBAL PERMISSIONS
####################################
# Block dangerous commands for everyone by default
add_ace builtin.everyone command.restart deny
add_ace builtin.everyone command.stop deny
add_ace builtin.everyone command.exec deny
####################################
# SUPERADMIN (server owner)
####################################
add_ace group.superadmin command allow
add_ace group.superadmin txadmin allow
add_principal identifier.steam:110000xxxxxx group.superadmin
####################################
# ADMIN
####################################
# The admin inherits the moderator rights
add_ace group.admin group.moderator allow
# Specific admin permissions
add_ace group.admin command.restart allow
add_ace group.admin command.stop allow
add_ace group.admin command.start allow
add_ace group.admin command.refresh allow
add_ace group.admin command.ensure allow
add_ace group.admin command.setjob allow
add_ace group.admin command.giveitem allow
add_ace group.admin command.givemoney allow
add_ace group.admin command.car allow
add_ace group.admin command.dv allow
add_ace group.admin command.tp allow
add_ace group.admin command.bring allow
add_ace group.admin command.unban allow
add_principal identifier.steam:110000yyyyyy group.admin
####################################
# MODERATOR
####################################
# The moderator inherits the support rights
add_ace group.moderator group.support allow
# Moderation permissions
add_ace group.moderator command.kick allow
add_ace group.moderator command.ban allow
add_ace group.moderator command.warn allow
add_ace group.moderator command.mute allow
add_ace group.moderator command.spectate allow
add_ace group.moderator command.goto allow
add_ace group.moderator command.announce allow
add_principal identifier.steam:110000zzzzzz group.moderator
add_principal identifier.discord:123456789 group.moderator
####################################
# SUPPORT
####################################
add_ace group.support command.tp allow
add_ace group.support command.tpto allow
add_ace group.support command.bring allow
add_ace group.support command.revive allow
add_principal identifier.steam:110000aaaaaa group.support
####################################
# VIP (benefits without admin rights)
####################################
add_ace group.vip vip.priority allow
add_ace group.vip vip.customskin allow
add_ace group.vip vip.spawnvehicle allow
add_principal identifier.steam:110000bbbbbb group.vip
The different types of identifiers
Steam ID (recommended)
This is the most reliable and widely used:
add_principal identifier.steam:110000xxxxxx group.admin
To find a player's Steam ID:
- The player connects to the server
- Type
statusin the server console - Locate the line with their username and copy the identifier
steam:xxxxx
Discord ID
add_principal identifier.discord:123456789012345678 group.admin
To find it: enable developer mode in Discord, then right-click on the user → Copy ID.
Rockstar License
add_principal identifier.license:xxxxxxxxxxxxxx group.admin
FiveM ID
add_principal identifier.fivem:xxxxxx group.admin
Avoid: Identification by IP (
identifier.ip:xxx) is discouraged as IPs change regularly.
Permissions for jobs (RP server)
On a roleplay server, you can create specific permissions by job:
# Police
add_ace group.police police.menu allow
add_ace group.police police.armory allow
add_ace group.police police.handcuff allow
add_ace group.police police.vehicle allow
# EMS
add_ace group.ems ems.menu allow
add_ace group.ems ems.vehicle allow
add_ace group.ems command.revive allow
add_ace group.ems command.heal allow
# Mechanic
add_ace group.mechanic mechanic.menu allow
add_ace group.mechanic mechanic.repair allow
In your scripts, you then check the permission:
if IsPlayerAceAllowed(source, 'police.armory') then
-- The player can access the armory
end
Restricting access to a resource
You can block an entire resource and only allow it to certain groups:
# Block admin_menu for everyone
add_ace builtin.everyone resource.admin_menu deny
# Allow only admins
add_ace group.admin resource.admin_menu allow
Configuration with txAdmin
If you are using txAdmin to manage your server, you need to grant the corresponding permissions:
# Full access to txAdmin
add_ace group.superadmin txadmin allow
add_principal identifier.steam:110000xxxxxx group.superadmin
# Limited access (view only without modification)
add_ace group.admin txadmin.view allow
add_ace group.admin txadmin.control allow
Integration with ESX and QBCore
With ESX
ESX has its own group system in the database, but it can work with ACE:
add_ace group.admin command.setjob allow
add_ace group.admin command.givemoney allow
add_principal identifier.steam:xxx group.admin
Don’t forget to also set the group to admin in the users table of your ESX database.
With QBCore
QBCore uses ACE permissions natively:
add_ace group.god command allow
add_ace group.admin qbcore.admin allow
And in qb-core/server/main.lua, add your identifiers in the permissions config.
Useful commands for testing
Check if a player has a permission
In the F8 console or the server console:
test_ace steam:110000xxxxxx command.kick
Returns true or false.
List all active permissions
list_aces
Resolving common issues
Permissions not applying
- Restart the server completely (not just
refresh) - Check the exact spelling of identifiers (case-sensitive)
- Use
statusto see the identifiers of connected players
The order is important
Always create the group before adding players to it:
# ❌ Wrong order
add_principal identifier.steam:xxx group.admin
add_ace group.admin command allow
# ✅ Correct order
add_ace group.admin command allow
add_principal identifier.steam:xxx group.admin
Conflict with ESX/QBCore
If a command is denied despite the correct ACE permissions, the script itself may have its own verification system. Check the config of the relevant script.
Best security practices
Principle of least privilege
Only grant the strictly necessary permissions:
# ❌ Too broad
add_ace group.moderator command allow
# ✅ Precise
add_ace group.moderator command.kick allow
add_ace group.moderator command.ban allow
add_ace group.moderator command.warn allow
Protect critical commands
# Block for everyone by default
add_ace builtin.everyone command.restart deny
add_ace builtin.everyone command.stop deny
add_ace builtin.everyone command.exec deny
# Allow only superadmins
add_ace group.superadmin command.restart allow
add_ace group.superadmin command.stop allow
Document your configuration
Comment your server.cfg to keep track:
# ===== ADMIN GROUP =====
# Can manage players and resources
# Cannot stop/restart the server
add_ace group.admin command.kick allow
# ...
In summary
The ACE system of FiveM is powerful and flexible once you understand its logic. Key points to remember:
- Use groups rather than individual permissions
- Take advantage of inheritance to avoid repetition
- Steam ID is the most reliable identifier
- Apply the principle of least privilege
- Always test your permissions after modification
Need a FiveM server to set all this up? OuiHeberg offers FiveM hosting plans with full access to your configuration files to manage your ACE permissions as you wish.