diff --git a/app/config/acl.yml b/app/config/acl.yml
new file mode 100644
index 0000000..0f27795
--- /dev/null
+++ b/app/config/acl.yml
@@ -0,0 +1,42 @@
+
+# ACL in this system is defined as follows:
+#
+#  - Roles:
+#     Roles define a group of user. like Author, Admin, Guest etc.
+#     Each role can inherit other roles with the "inherit" key.
+#     Each role can gain access to a zone (explained later) by the
+#     "allowed-zones" key. Per default a role is denied access to all zones.
+#
+#  - Resources:
+#     Resources maps directly to controller names.
+#     There a 2 controllers/resources that are a bit special,
+#     index and error resources are always accessible by everyone (e.g. they
+#     are not part of the ACL).
+#
+#  - Access levels.
+#     These are not used in this system. a hardcoded "All" level is used.
+#
+# Zones
+#
+#   Zones defines a group of resources. for example an "backend" zone can
+#   have 2 controllers/resources (site-config, user-manager)
+#
+#   Zones might be implemented using modules later.
+
+acl:
+ roles:
+  guest:
+    allowed-zones: public
+    description: Non logged in users
+  user:
+    inherits: guest
+    allowed-zones: user
+    description: Logged in users
+  #admin:
+  #  inherits: user
+  #  allowed-zones: backend
+
+ zones:
+  public:   [ auth, api ]
+  user:     [ user, callback ]
+  #backend:  [ site, user-man ]