diff --git a/container/service.pb.go b/container/service.pb.go
index d9febc0..cac8764 100644
Binary files a/container/service.pb.go and b/container/service.pb.go differ
diff --git a/container/service.proto b/container/service.proto
index 8a3f56c..9bd02c9 100644
--- a/container/service.proto
+++ b/container/service.proto
@@ -41,6 +41,9 @@ message PutRequest {
     // Rules define storage policy for the object inside the container.
     netmap.PlacementRule rules               = 4 [(gogoproto.nullable) = false];
 
+    // Container ACL.
+    AccessGroup Group                        = 5 [(gogoproto.nullable) = false];
+
     // RequestMetaHeader contains information about request meta headers (should be embedded into message)
     service.RequestMetaHeader Meta           = 98 [(gogoproto.embed) = true, (gogoproto.nullable) = false];
     // RequestVerificationHeader is a set of signatures of every NeoFS Node that processed request (should be embedded into message)
diff --git a/container/types.go b/container/types.go
index 9269f30..d5d5a77 100644
--- a/container/types.go
+++ b/container/types.go
@@ -11,6 +11,19 @@ import (
 	"github.com/pkg/errors"
 )
 
+// AccessMode is a container access mode type.
+type AccessMode uint32
+
+const (
+	// AccessModeRead is a read access mode.
+	AccessModeRead AccessMode = 1 << iota
+	// AccessModeWrite is a write access mode.
+	AccessModeWrite
+)
+
+// AccessModeReadWrite is a read/write container access mode.
+const AccessModeReadWrite = AccessModeRead | AccessModeWrite
+
 var (
 	_ internal.Custom = (*Container)(nil)
 
diff --git a/container/types.pb.go b/container/types.pb.go
index 7bf9a03..7a454de 100644
Binary files a/container/types.pb.go and b/container/types.pb.go differ
diff --git a/container/types.proto b/container/types.proto
index a601edd..4600046 100644
--- a/container/types.proto
+++ b/container/types.proto
@@ -17,4 +17,18 @@ message Container {
     uint64 Capacity            = 3;
     // Rules define storage policy for the object inside the container.
     netmap.PlacementRule Rules = 4 [(gogoproto.nullable) = false];
+    // Container ACL.
+    AccessControlList List     = 5 [(gogoproto.nullable) = false];
+}
+
+message AccessGroup {
+    // Group access mode.
+    uint32 AccessMode         = 1;
+    // Group members.
+    repeated bytes UserGroup  = 2 [(gogoproto.customtype) = "OwnerID", (gogoproto.nullable) = false];
+}
+
+message AccessControlList {
+    // List of access groups.
+    repeated AccessGroup List = 1 [(gogoproto.nullable) = false];
 }
diff --git a/container/types_test.go b/container/types_test.go
index c7dbbf8..cfd5f52 100644
--- a/container/types_test.go
+++ b/container/types_test.go
@@ -55,3 +55,23 @@ func TestCID(t *testing.T) {
 		require.Equal(t, cid1, cid2)
 	})
 }
+
+func TestAccessMode(t *testing.T) {
+	t.Run("read access to read/write mode", func(t *testing.T) {
+		require.Equal(t, AccessModeRead, AccessModeReadWrite&AccessModeRead)
+	})
+
+	t.Run("write access to read/write mode", func(t *testing.T) {
+		require.Equal(t, AccessModeWrite, AccessModeReadWrite&AccessModeWrite)
+	})
+
+	t.Run("read(write) access to write(read) mode", func(t *testing.T) {
+		require.Zero(t, AccessModeRead&AccessModeWrite)
+	})
+
+	t.Run("access to same mode", func(t *testing.T) {
+		require.Equal(t, AccessModeWrite, AccessModeWrite&AccessModeWrite)
+		require.Equal(t, AccessModeRead, AccessModeRead&AccessModeRead)
+		require.Equal(t, AccessModeReadWrite, AccessModeReadWrite&AccessModeReadWrite)
+	})
+}