The various tools for administrating clusters, like the crm shell, Hawk, or the Pacemaker GUI, can be used by root or any user in the group haclient. By default, these users have full read-write access. In some cases, you may want to limit access or assign more fine-grained access rights.
Optional Access control lists (ACLs) allow you to define rules for users in the haclient group to allow or deny access to any part of the cluster configuration. Typically, sets or rules are combined into roles. Then you can assign users to a role that fits their tasks.