Add more content.

dwdougherty · dwdougherty · commit df1efe195635 · 2025-06-05T10:22:56.000-07:00
diff --git a/content/operate/oss_and_stack/management/security/acl.md b/content/operate/oss_and_stack/management/security/acl.md
@@ -323,9 +323,7 @@ The following is a list of command categories and their meanings:
 * **transaction** - [`WATCH`](/commands/watch) / [`MULTI`](/commands/multi) / [`EXEC`](/commands/exec) related commands.
 * **write** - Writing to keys (values or metadata). Note that commands that don't interact with keys, will not have either `read` or `write`.
 
-1. <a name="cmd-note-1"></a>Before Redis 8, the existing ACL categories @read, @write, @dangerous, @admin, @slow, and @fast did not include commands for the Redis Query Engine, JSON, time series, and probabilistic data structures.
-
-    Starting with Redis 8, Redis includes all Query Engine, JSON, time series, Bloom filter, cuckoo filter, top-k, count-min sketch, and t-digest commands in these existing ACL categories.
+1. <a name="cmd-note-1"></a> See the [Redis 8 release notes]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisce/redisos-8.0-release-notes/#potentially-breaking-changes-to-acls" >}}) for more information about these command categories, which may introduce breaking changes to your Redis deployments.
 
 NOTE: Redis can also show you a list of all categories and the exact commands each category includes using the Redis [`ACL CAT`](/commands/acl-cat) command. 
 It can be used in two forms:
diff --git a/content/operate/oss_and_stack/stack-with-enterprise/release-notes/redisce/redisos-8.0-release-notes.md b/content/operate/oss_and_stack/stack-with-enterprise/release-notes/redisce/redisos-8.0-release-notes.md
@@ -71,10 +71,8 @@ Stand alone RediSearch, RedisJSON, RedisTimeSeries, and RedisBloom modules are n
 
   - See the [build instructions]({{< relref "/operate/oss_and_stack/install/build-stack" >}}) for information about building from source code.
   - New configuration file: `redis-full.conf`, loads Redis with all components, 
-    and contains new configuration parameters for Redis Query Engine and the new data structures .
-  - Before Redis 8, the existing ACL categories @read, @write, @dangerous, @admin, @slow, and @fast did not include commands for the Redis Query Engine, JSON, time series, and probabilistic data structures.
-
-      Starting with Redis 8, Redis includes all Query Engine, JSON, time series, Bloom filter, cuckoo filter, top-k, count-min sketch, and t-digest commands in these existing ACL categories.
+    and contains new configuration parameters for Redis Query Engine and the new data structures.
+  - New ACL categories: `@search`, `@json`, `@timeseries`, `@bloom`, `@cuckoo`, `@cms`, `@topk`, and `@tdigest` commands are also included in the existing ACL categories such as `@read` and `@write`. See [below]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisce/redisos-8.0-release-notes/#potentially-breaking-changes-to-acls" >}}) for information about potentially breaking changes.
 - More than 30 performance and resource utilization improvements.
 - A new I/O threading implementation, which enables throughput increase on multi-core environments
   (set with the `io-threads` configuration parameter).
@@ -113,3 +111,74 @@ For more details, see the release notes for the [8.0-M01](https://github.com/red
 - [#13966](https://github.com/redis/redis/pull/13966), [#13932](https://github.com/redis/redis/pull/13932) `CLUSTER SLOTS` - TLS port update not reflected.
 - [#13958](https://github.com/redis/redis/pull/13958) `XTRIM`, `XADD` - incorrect lag due to trimming stream.
 - [#13931](https://github.com/redis/redis/pull/13931) `HGETEX` - wrong order of keyspace notifications.
+
+### Potentially breaking changes to ACLs
+
+{{< note >}}
+The following content is relevant to all Redis distributions (RS, RC, and ROS).
+{{< /note >}}
+
+Redis 8 includes Redis Query Engine, as well as JSON, time series, Bloom filter, cuckoo filter, top-k, count-min sketch, and t-digest data types.
+The integration of these features into Redis also comes with improvements to Redis [ACL]({{< relref "/operate/oss_and_stack/management/security/acl" >}}) rules.
+
+{{< warning >}}
+These ACL changes may introduce breaking changes for some users, which must be analyzed carefully.
+{{< /warning >}}
+
+### Extension to the existing ACL categories
+
+Before Redis 8, the existing ACL categories @read, @write, @dangerous, @admin, @slow, and @fast did not include commands for the Redis Query Engine and the JSON, time series, and probabilistic data structures.
+
+Starting with Redis 8, Redis includes all Query Engine, JSON, time series, Bloom filter, cuckoo filter, top-k, count-min sketch, and t-digest commands in these existing ACL categories.
+
+As a result:
+
+- Existing ACL rules such as `+@read +@write` will allow access to more commands than in previous versions of Redis. Here are some examples:
+  - A user with `+@read` access will be able to execute `FT.SEARCH`.
+  - A user with `+@write` access will be able to execute `JSON.SET`. 
+
+- ACL rules such as `+@all -@write`  will allow access to fewer commands than previous versions of Redis. For example:
+  - A user with `+@all -@write` will not be able to execute `JSON.SET`.
+
+Note that the `@all` category did not change, as it always included all the commands.
+
+Additionally, ACL rules such as `+@read +JSON.GET` can now be simplified as `+@read` because `JSON.GET` is included in the `@read` category.
+
+### Who is affected by this change?
+
+Users who currently use the Redis Query Engine and/or the JSON, time series, or probabilistic data structures, and use custom ACL rules.
+
+You should reanalyze your ACL rules to make sure they are aligned with your security and access control requirements.
+
+### Redis 8 introduces the following data structure and processing engine ACL categories.
+
+| New ACL commands category names | Included commands               |
+| :----                           | :----                           |
+| `search`                        | All Redis Query Engine commands |
+| `json`                          | All JSON commands               |
+| `timeseries`                    | All time series commands        |
+| `bloom`                         | All Bloom filter commands       |
+| `cuckoo`                        | All cuckoo filter commands      |
+| `topk`                          | All top-k commands              |
+| `cms`                           | All count-min sketch commands   |
+| `tdigest`                       | All t-digest commands           |
+
+You can use these new categories in your ACL rules.
+
+### Time series notes
+
+The following time series commands retrieve data from all keys that match a given filter expression: `TS.MGET`, `TS.MRANGE`, and `TS.MREVRANGE`. 
+
+There can be a case where a user may have to only some of the matching keys. In such cases, the command’s result is an error message: “*current user doesn't have read permission to one or more keys that match the specified filter*”.
+
+On the other hand, `TS.QUERYINDEX` does not require `@read` access to the keys that match the specified filter, as it accesses only time series metadata (name and labels) and not content (measurements).
+
+### Redis Query Engine notes
+
+The following Redis Query Engine commands may retrieve data from all keys that match the prefixes defined in the index (that is, all indexed documents, per-index):
+
+- `FT.SEARCH`  
+- `FT.AGGREGATE` (may be followed by `FT.CURSOR`)  
+- `FT.PROFILE`
+
+Only ACL users with access to a superset of the key prefixes defined during index creation can create, modify, or read the index. For example, a user with the key ACL pattern `h:*` can create an index with keys prefixed by `h:*` or `h:p*`, but not keys prefixed by `h*`, `k:*`, or `k*`, because these prefixes may involve keys to which the user does not have access.
