Hello everyone . Apologize in advance for any errors. In my opinion in the acl is a small drawback, namely the method isAllowed and its first attribute . Imagine the situation : the logic of the application , the user belongs to multiple groups , for which, respectively, some available resources. A resource may be available in two or more groups. In this case, have repeatedly call the isAllowed and peredovat as the first attribute name role to which user belongs to. It would be easier if acl kept the resulting array of available resources and would not have to peredovat title role. Maybe I'm not well mastered the techniques of acl, so once again I bring apologies . I would be happy to comment .