Redis ACLs allow you to define named permissions for specific Redis commands, keys, and pub/sub channels. You can use defined Redis ACLs for multiple databases and roles.

Predefined Redis ACLs

The predefined Redis ACLs are:

  • Full Access - All commands are allowed on all keys.

  • Not Dangerous - All commands are allowed except those that are administrative, could affect availability, or could affect performance.

  • Read Only - Only read-only commands are allowed on keys.

Redis ACL command syntax

Redis ACLs are defined by a Redis syntax where you specify the commands or command categories that are allowed for specific keys.

Redis Enterprise lets you:

  • Include commands and categories with the “+” prefix for commands or “[email protected]” prefix for command categories.

  • Exclude commands and categories with the “-” prefix for commands or “[email protected]” prefix for command categories.

  • Include keys or key patterns with the “~” prefix.

  • Allow access to pub/sub channels with the “&” prefix (only supported for databases with Redis version 6.2 and later).


Module commands have several ACL limitations:

Configure Redis ACLs

To configure a Redis ACL rule that you can assign to a user role:

  1. From access control > redis acls, you can either:

    • Point to a Redis ACL and select Edit to edit an existing Redis ACL.

    • Select Add to create a new Redis ACL.

  2. Enter a descriptive name for the Redis ACL. This will be used to reference the ACL rule to the role.

  3. Define the ACL rule.

  4. Select Save.


In Redis Enterprise:

  • External users are not currently supported for database authentication.
  • For multi-key commands on multi-slot keys, the return value is failure but the command runs on the keys that are allowed.

Change default pub/sub permissions

Pub/sub ACL rules determine which pub/sub channels a user can access.

As of Redis Enterprise version 6.4.2, you can configure acl_pubsub_default, which determines the default pub/sub permissions for all databases in the cluster. You can set acl_pubsub_default to the following values:

  • resetchannels is restrictive and blocks access to all channels by default.

  • allchannels is permissive and allows access to all channels by default.

Redis Enterprise version 6.4.2 defaults to permissive pub/sub channels for backward compatibility. We recommend you change your cluster’s default pub/sub ACLs to be restrictive.

To make default pub/sub permissions restrictive:

  1. Upgrade all databases in the cluster to Redis version 6.2 or later.

  2. Set the default to resetchannels with rladmin or the REST API.

ACL command support

Redis Enterprise Software does not support certain open source Redis ACL commands. Instead, you can manage access controls from the admin console.

Command Supported
ACL CAT ✅ Supported
ACL DELUSER ❌ Not supported
ACL GENPASS ❌ Not supported
ACL GETUSER ✅ Supported
ACL HELP ✅ Supported
ACL LIST ✅ Supported
ACL LOAD ❌ Not supported
ACL LOG ❌ Not supported
ACL SAVE ❌ Not supported
ACL SETUSER ❌ Not supported
ACL USERS ✅ Supported
ACL WHOAMI ✅ Supported
The MULTI, EXEC, DISCARD commands are always allowed, but ACLs are enforced on MULTI subcommands.

Next steps