[skip ci] Update README

README.md

@@ -34,6 +34,7 @@ Then you need to modify a few configuration parameters for your instance:
 - `trigger_token`: An OBS access token with the `runservice` capability. See "Creating tokens" below.
 - `rebuild_token`: An OBS access token with the `rebuild` capability. See "Creating tokens" below.
 - `secret`: A random string used to encrypt the password in the configuration file.
+- `acl`: User IDs (`@user:homeserver.com`) which are allowed to interact with the bot. See "Access control lists" below.
 
 ### Creating tokens
 
@@ -59,9 +60,26 @@ Save both tokens in the configuration. Should you need to, you can view them lat
 
 Make sure your bot instance is in a room (refer to the maubot docs for how) and then type `!osc help` for help.
 
+### Access control lists (ACLs)
+
+By default, no user is allowed to perform any operation. You need to change the `acl` section of the configuration to add user IDs (`@user:homeserver.com`) allowed to interact with the bot. Users in the `admin` list have full powers over the bot, while users in the `user` list can only perform read-only (e.g. status querying) actions.
+
+This example shows how it works in practice:
+
+```yaml
+acl:
+  admin:
+    # Fred and Sue will be able to perform all commands
+    - @fred:myhome.com
+    - @sue:otherserver.com
+  user:
+    # Phil will only be able to run read-only (status, etc.) commands
+    - @phil:elsewhere.com
+```
+
 ### Notice
 
-I made this in about three or four hours for my own use. Don't expect high quality code or a lot of polish.
+I made this for my own use. Don't expect high quality code or a lot of polish.
 
 ### License