# Kafka ACLs
{% hint style="info" %}
These ACLs are for the underlying Lenses Agent Kafka client. Lenses has its own set of permissions guarding access.
You can restrict the access of the Lenses Kafka client but this can reduce the functionality on offer in Lenses, e.g. not allow Lenses to create topic at all, even though this can be managed by [Lenses own IAM system](https://docs.lenses.io/hub/user-guide/iam).
{% endhint %}
When your Kafka cluster is configured with an authorizer which enforces ACLs, the Agent will need a set of permissions to function correctly.
Common practice is to give teh Agent *superuser* status or the complete list of available operations for all resources. The IAM model of Lenses can then be used to restrict the access level per user.
```bash
kafka-acls \
--bootstrap-server [broker.url:9092] --command-config [client.properties] \
--add \
--allow-principal [User:Lenses] \
--allow-host [lenses.host] \
--operation All \
--topic * \
--group * \
--delegation-token * \
--cluster
```
## Minimal Permissions
The Agent needs permission to manage and access their own internal Kafka topics:
* `__topology`
* `__topology__metrics`
```bash
kafka-acls \
--bootstrap-server [broker.url:9092] --command-config [client.properties] \
--add \
--allow-principal [User:Lenses] \
--allow-host [lenses.host] \
--operation All \
--topic [topic]
```
It also needs to read and describe permissions for the consumer offsets and Kafka Connect topics —if enabled:
* `__consumer_offsets`
* `connect-configs`
* `connect-offsets`
* `connect-status`
```bash
kafka-acls \
--bootstrap-server [broker.url:9092] --command-config [client.properties] \
--add \
--allow-principal [User:Lenses] \
--allow-host [lenses.host] \
--operation Describe \
--operation DescribeConfigs \
--operation Read \
--topic [topic]
```
This same set of permissions is required for any topic that the agent must have read access.
```bash
kafka-acls \
--bootstrap-server [broker.url:9092] --command-config [client.properties] \
--add \
--allow-principal [User:Lenses] \
--allow-host [lenses.host] \
--operation Describe \
--operation DescribeConfigs \
--operation Read \
--topic *
```
{% hint style="info" %}
DescribeConfigs was added in Kafka 2.0. It may not be needed for versions before 2.2.
{% endhint %}
Additional permissions are needed to produce topics or manage them.
## Consumer Groups
Permission to at least read and describe consumer groups is required to take advantage of the Consumer Groups' monitoring capabilities.
```bash
kafka-acls \
--bootstrap-server [broker.url:9092] --command-config [client.properties] \
--add \
--allow-principal [User:Lenses] \
--allow-host [lenses.host] \
--operation Describe \
--operation Read \
--group *
```
Additional permissions are needed to manage groups.
## ACLs
To manage ACLs, permission to the cluster is required:
```bash
kafka-acls \
--bootstrap-server [broker.url:9092] --command-config [client.properties] \
--add \
--allow-principal [User:Lenses] \
--allow-host [lenses.host] \
--operation Describe \
--operation DescribeConfigs \
--operation Alter \
--cluster
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.lenses.io/latest/deployment/configuration/agent/kafka-acls.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.