diff --git a/pkg/acl/list/aclstate.go b/pkg/acl/list/aclstate.go
index 0424dc42..c5a2d63f 100644
--- a/pkg/acl/list/aclstate.go
+++ b/pkg/acl/list/aclstate.go
@@ -15,7 +15,7 @@ import (
 	"hash/fnv"
 )
 
-var log = logger.NewNamed("acllist")
+var log = logger.NewNamed("acllist").Sugar()
 
 var ErrNoSuchUser = errors.New("no such user")
 var ErrFailedToDecrypt = errors.New("failed to decrypt key")
@@ -77,6 +77,7 @@ func (st *ACLState) UserReadKeys() map[uint64]*symmetric.Key {
 func (st *ACLState) PermissionsAtRecord(id string, identity string) (UserPermissionPair, error) {
 	permissions, ok := st.permissionsAtRecord[id]
 	if !ok {
+		log.Errorf("missing record at id %s", id)
 		return UserPermissionPair{}, ErrNoSuchRecord
 	}
 
@@ -135,6 +136,7 @@ func (st *ACLState) applyChangeAndUpdate(recordWrapper *Record) (err error) {
 		permissions = append(permissions, permission)
 	}
 	st.permissionsAtRecord[recordWrapper.Id] = permissions
+	log.Infof("adding permissions at record %s", recordWrapper.Id)
 	return nil
 }
 
diff --git a/pkg/acl/list/list.go b/pkg/acl/list/list.go
index a4f64f8e..acd2b131 100644
--- a/pkg/acl/list/list.go
+++ b/pkg/acl/list/list.go
@@ -7,6 +7,7 @@ import (
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/pkg/acl/aclchanges/aclpb"
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/pkg/acl/storage"
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/util/keys"
+	"go.uber.org/zap"
 	"sync"
 )
 
@@ -98,6 +99,8 @@ func buildWithACLStateBuilder(builder *aclStateBuilder, storage storage.ListStor
 		indexes[records[len(records)/2].Id] = len(records) / 2
 	}
 
+	log.With(zap.String("head id", records[len(records)-1].Id), zap.String("list id", id)).
+		Info("building acl tree")
 	state, err := builder.Build(records)
 	if err != nil {
 		return nil, err
diff --git a/pkg/acl/tree/changevalidator.go b/pkg/acl/tree/changevalidator.go
index 2f0b5fe2..0c77d169 100644
--- a/pkg/acl/tree/changevalidator.go
+++ b/pkg/acl/tree/changevalidator.go
@@ -26,7 +26,7 @@ func (v *docTreeValidator) ValidateTree(tree *Tree, aclList list.ACLList) (err e
 
 	tree.Iterate(tree.RootId(), func(c *Change) (isContinue bool) {
 		// checking if the user could write
-		perm, err = state.PermissionsAtRecord(c.Id, c.Content.Identity)
+		perm, err = state.PermissionsAtRecord(c.Content.AclHeadId, c.Content.Identity)
 		if err != nil {
 			return false
 		}