diff --git a/src/api2/access/acl.rs b/src/api2/access/acl.rs
index 20dac485..71a7406e 100644
--- a/src/api2/access/acl.rs
+++ b/src/api2/access/acl.rs
@@ -66,6 +66,19 @@ pub struct AclListItem {
     roleid: String,
 }
 
+fn check_acl_path(path: &str) -> Result<(), Error> {
+
+    let path = acl::split_acl_path(path);
+
+    if path.is_empty() { return Ok(()); }
+
+    if path.len() == 2 {
+        if path[0] == "storage" { return Ok(()); }
+    }
+
+    bail!("invalid acl path.");
+}
+
 fn extract_acl_node_data(
     node: &acl::AclTreeNode,
     path: &str,
@@ -182,7 +195,7 @@ pub fn update_acl(
 
     let delete = delete.unwrap_or(false);
 
-    if let Some(ref group) = group {
+    if let Some(ref _group) = group {
         bail!("parameter 'group' - groups are currently not supported.");
     } else if let Some(ref userid) = userid {
         if !delete { // Note: we allow to delete non-existent users
@@ -195,6 +208,10 @@ pub fn update_acl(
         bail!("missing 'userid' or 'group' parameter.");
     }
 
+    if !delete { // Note: we allow to delete entries with invalid path
+        check_acl_path(&path);
+    }
+
     if let Some(userid) = userid {
         if delete {
             tree.delete_user_role(&path, &userid, &role);
diff --git a/src/config/acl.rs b/src/config/acl.rs
index f12aa21e..ab43e5a8 100644
--- a/src/config/acl.rs
+++ b/src/config/acl.rs
@@ -52,7 +52,7 @@ lazy_static! {
     };
 }
 
-fn split_acl_path(path: &str) -> Vec<&str> {
+pub fn split_acl_path(path: &str) -> Vec<&str> {
 
     let items = path.split('/');