Back to Blog
Server Setup 8 min read February 2, 2025

FiveM ACE Permissions System Explained: add_ace and add_principal (2026)

Understand FiveM's built-in ACE permission system — how principals, aces, and inheritance work. Learn to configure admin groups, moderator roles, and resource permissions with real examples.

AloneDeveloper & Founder
fivem permissions ace acl add_ace add_principal fivem admin

What Is the ACE Permission System?

ACE (Access Control Entries) is FiveM's built-in permission system for controlling who can execute commands and access resources on your server. Every FiveM server uses ACE — it defines who is an admin, who can kick players, and who can access restricted features.

Understanding ACE is essential for any server owner in 2026. This guide explains how principals, aces, and inheritance work.

Core Concepts

Principals

A principal is an identity — it represents a player or a group:

  • Identifier principals — Represent specific players using unique identifiers (e.g., identifier.fivem:123456, identifier.discord:7890)
  • Group principals — Represent groups that players can belong to (e.g., group.admin, group.moderator)

Aces (Access Control Entries)

An ace defines a permission — what a principal is allowed or denied to do. Aces are attached to principals (usually groups) and grant or deny specific capabilities.

The add_principal Command

add_principal assigns a player or group to another group, creating the permission hierarchy:

Syntax: add_principal

Adding a Player to the Admin Group

add_principal identifier.fivem:123456 group.admin

This makes the player with FiveM identifier 123456 a member of the admin group. They inherit all permissions assigned to group.admin.

Supported Identifier Types

  • identifier.fivem: — Cfx.re / FiveM license ID
  • identifier.steam: — Steam hex ID
  • identifier.discord: — Discord user ID
  • identifier.license: — Rockstar license
  • identifier.license2: — Secondary Rockstar license

The add_ace Command

add_ace grants or denies a permission to a principal:

Syntax: add_ace

Common Examples

# Allow admins to use all commands

add_ace group.admin command allow



Allow moderators to kick players


add_ace group.moderator command.kick allow



Allow moderators to use the ban command


add_ace group.moderator command.ban allow



Deny a specific command even for admins


add_ace group.admin command.quit deny

Group Inheritance

One of ACE's most powerful features is inheritance. When you add a group as a principal of another group, it inherits all permissions:

# Moderator gets basic moderation commands

add_ace group.moderator command.kick allow


add_ace group.moderator command.warn allow



Admin inherits everything from moderator, plus more


add_principal group.admin group.moderator


add_ace group.admin command.ban allow


add_ace group.admin command.restart allow



Owner inherits everything from admin


add_principal group.owner group.admin


add_ace group.owner command allow

With this setup:

  • Moderators can kick and warn
  • Admins can do everything moderators can, plus ban and restart
  • Owners can execute any command

Setting Up permissions.cfg

Keep your ACE configuration in a separate file called permissions.cfg:

# Groups

add_ace group.admin command allow


add_ace group.admin command.quit deny


add_principal group.admin group.moderator



add_ace group.moderator command.kick allow


add_ace group.moderator command.warn allow


add_ace group.moderator command.spectate allow



Players


add_principal identifier.fivem:abc123 group.admin


add_principal identifier.discord:123456789 group.moderator

Then in your server.cfg, load it with:

exec permissions.cfg

Resource Permissions

ACE isn't limited to commands — scripts can define and check custom permissions:

# Allow admins to use a custom feature in a script

add_ace group.admin myresource.admin allow



Allow a police group to access specific script features


add_ace group.police myresource.police allow

Script developers check these aces using the IsPlayerAceAllowed native function, which returns whether a player has a specific ace.

Finding Player Identifiers

To add a player to a group, you need their identifier:

  1. txAdmin — Open a player's profile to see all their identifiers
  2. Server console — When a player connects, their identifiers are logged
  3. In-game commands — Some frameworks provide admin commands to display a player's identifiers

Troubleshooting

"Player doesn't have permissions"

  • Verify the correct identifier type and value
  • Check for typos in the identifier string
  • Make sure permissions.cfg is being loaded (exec permissions.cfg in server.cfg)
  • Restart the server after changes — ACE updates require a restart

"Permissions not applying"

  • Some resources cache permissions at startup and may need restarting individually
  • Verify the principal chain is correct (child → parent relationships)

Build a Secure Permission Structure

A well-organized ACE system keeps your server secure while giving your staff the tools they need. Combined with the in-game management features of Jobs Creator, your server's permission and job hierarchy work together seamlessly.

→ Browse Premium FiveM Scripts at Alone Studios

Ready to Transform Your Server?

FiveM Job Creator eliminates every problem discussed in this article. 0.00ms resmon. No-code configuration. ESX & QBCore native.

Get Job Creator on Tebex — €29.99

Continue Reading

Server Setup

How to Start a FiveM Roleplay Server from Scratch (2026)

Complete step-by-step guide to creating your own FiveM roleplay server — from downloading server artifacts and configuring txAdmin to installing a framework and going live.

Read Article Server Setup

FiveM Server.cfg Complete Guide: Every Setting Explained (2026)

The definitive reference for FiveM server.cfg — every directive explained with real examples. Network settings, player limits, OneSync, resource loading, database configuration, and security.

Read Article