> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognite.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Access control features

> Learn how to control access to graphs using spaces and access control lists (ACLs) in the Data Modeling Service.

Data modeling access control is based on [**spaces**](/cdf/dm/dm_concepts/dm_spaces_instances#space). When you control access to a space, you can control read and write for schemas and instances separately. For each space, you can give some users write access to the schema while allowing others to read the schema and write data instances.

## Access control lists (ACLs)

The ACLs used to control access in DMS are:

* `dataModelInstances`: controls access to instances (nodes and edges.)

  * `READ`: allows reading instances.
  * `WRITE`: allows reading, creating, modifying, and deleting instances.
  * `WRITE_PROPERTIES`: allows writing properties without allowing creation/deletion of instances.

* `dataModels`: controls access to schemas (spaces, containers, views, and data models.)
  * `READ`: allows reading schemas.
  * `WRITE`: allows reading, creating, modifying, and deleting schemas.

The ACLs support these two scopes:

* `all`: grants access to all resources in **all** spaces
* `space`: grants access to resources in the specified spaces

For example, the capabilities in the example below grant access to:

* Read instances in all spaces.
* Modify/delete instances in `space1`.
* Write properties to instances in `space2` using views/containers you have read access to.
* Read and modify schemas in all spaces.

```
- dataModelInstances
    actions: [READ]
    scope:
      all: {}
- dataModelInstances
    actions: [WRITE]
    scope:
      space: [space1]
- dataModelInstances
    actions: [WRITE_PROPERTIES]
    scope:
      space: [space2]
- dataModels:
    actions: [READ, WRITE]
    scope:
      all: {}
```

## Autocreate instances

You can only autocreate instances in spaces you have **write** access to. Even if you set `autoCreateDirectRelations` to `true` when ingesting, the nodes in the spaces you only have read access to **must** already exist.

## Edges and direct relations

You need **read** access to the target space to point edges and direct relations to nodes in other spaces.