diff --git a/include/ntfs-3g/security.h b/include/ntfs-3g/security.h
index 8612dc27..0f8f1d31 100644
--- a/include/ntfs-3g/security.h
+++ b/include/ntfs-3g/security.h
@@ -137,6 +137,7 @@ struct PERMISSIONS_CACHE {
 enum {
 	SECURITY_DEFAULT,	/* rely on fuse for permissions checking */
 	SECURITY_RAW,		/* force same ownership/permissions on files */
+	SECURITY_ACL,		/* enable Posix ACLs (when compiled in) */
 	SECURITY_ADDSECURIDS,	/* upgrade old security descriptors */
 	SECURITY_STATICGRPS,	/* use static groups for access control */
 	SECURITY_WANTED		/* a security related option was present */
diff --git a/src/lowntfs-3g.c b/src/lowntfs-3g.c
index ed333a1a..23da4fb1 100644
--- a/src/lowntfs-3g.c
+++ b/src/lowntfs-3g.c
@@ -3812,9 +3812,11 @@ int main(int argc, char *argv[])
 	if (ntfs_open_secure(ctx->vol) && (ctx->vol->major_ver >= 3))
 		failed_secure = "Could not open file $Secure";
 	if (!ntfs_build_mapping(&ctx->security,ctx->usermap_path,
-		(ctx->vol->secure_flags & (1 << SECURITY_DEFAULT))
+		(ctx->vol->secure_flags
+			& ((1 << SECURITY_DEFAULT) | (1 << SECURITY_ACL)))
 		&& !(ctx->vol->secure_flags & (1 << SECURITY_WANTED)))) {
 #if POSIXACLS
+		/* use basic permissions if requested */
 		if (ctx->vol->secure_flags & (1 << SECURITY_DEFAULT))
 			permissions_mode = "User mapping built, Posix ACLs not used";
 		else {
@@ -3828,7 +3830,8 @@ int main(int argc, char *argv[])
 #endif /* KERNELACLS */
 		}
 #else /* POSIXACLS */
-		if (!(ctx->vol->secure_flags & (1 << SECURITY_DEFAULT))) {
+		if (!(ctx->vol->secure_flags
+			& ((1 << SECURITY_DEFAULT) | (1 << SECURITY_ACL)))) {
 			/*
 			 * No explicit option but user mapping found
 			 * force default security
diff --git a/src/ntfs-3g.8.in b/src/ntfs-3g.8.in
index 4d5b8a4f..18d9b903 100644
--- a/src/ntfs-3g.8.in
+++ b/src/ntfs-3g.8.in
@@ -128,6 +128,13 @@ When a user mapping file is defined, the options \fBuid=\fP, \fBgid=\fP,
 Set standard permissions on created files and use standard access control.
 This option is set by default when a user mapping file is present.
 .TP
+.B acl
+Enable setting Posix ACLs on created files and use them for access control.
+This option is only available on specific builds. It is set by default
+when a user mapping file is present and the
+.B permissions
+mount option is not set.
+.TP
 .B inherit
 When creating a new file, set its initial ownership and protections
 according to inheritance rules defined in parent directory. These rules
diff --git a/src/ntfs-3g.c b/src/ntfs-3g.c
index e2fffcdc..2e4267f1 100644
--- a/src/ntfs-3g.c
+++ b/src/ntfs-3g.c
@@ -3732,9 +3732,11 @@ int main(int argc, char *argv[])
 	if (ntfs_open_secure(ctx->vol) && (ctx->vol->major_ver >= 3))
 		failed_secure = "Could not open file $Secure";
 	if (!ntfs_build_mapping(&ctx->security,ctx->usermap_path,
-		(ctx->vol->secure_flags & (1 << SECURITY_DEFAULT))
+		(ctx->vol->secure_flags
+			& ((1 << SECURITY_DEFAULT) | (1 << SECURITY_ACL)))
 		&& !(ctx->vol->secure_flags & (1 << SECURITY_WANTED)))) {
 #if POSIXACLS
+		/* use basic permissions if requested */
 		if (ctx->vol->secure_flags & (1 << SECURITY_DEFAULT))
 			permissions_mode = "User mapping built, Posix ACLs not used";
 		else {
@@ -3748,7 +3750,8 @@ int main(int argc, char *argv[])
 		}
 #else /* POSIXACLS */
 #if KERNELPERMS
-		if (!(ctx->vol->secure_flags & (1 << SECURITY_DEFAULT))) {
+		if (!(ctx->vol->secure_flags
+			& ((1 << SECURITY_DEFAULT) | (1 << SECURITY_ACL)))) {
 			/*
 			 * No explicit option but user mapping found
 			 * force default security
diff --git a/src/ntfs-3g_common.c b/src/ntfs-3g_common.c
index 1528100b..4a0c5c7b 100644
--- a/src/ntfs-3g_common.c
+++ b/src/ntfs-3g_common.c
@@ -78,6 +78,7 @@ const struct DEFOPTION optionlist[] = {
 	{ "no_def_opts", OPT_NO_DEF_OPTS, FLGOPT_BOGUS },
 	{ "default_permissions", OPT_DEFAULT_PERMISSIONS, FLGOPT_BOGUS },
 	{ "permissions", OPT_PERMISSIONS, FLGOPT_BOGUS },
+	{ "acl", OPT_ACL, FLGOPT_BOGUS },
 	{ "umask", OPT_UMASK, FLGOPT_OCTAL },
 	{ "fmask", OPT_FMASK, FLGOPT_OCTAL },
 	{ "dmask", OPT_DMASK, FLGOPT_OCTAL },
@@ -175,6 +176,7 @@ char *parse_mount_options(ntfs_fuse_context_t *ctx,
 	BOOL no_def_opts = FALSE;
 	int default_permissions = 0;
 	int permissions = 0;
+	int acl = 0;
 	int want_permissions = 0;
 	int intarg;
 	const struct DEFOPTION *poptl;
@@ -243,6 +245,11 @@ char *parse_mount_options(ntfs_fuse_context_t *ctx,
 			case OPT_PERMISSIONS :
 				permissions = 1;
 				break;
+#if POSIXACLS
+			case OPT_ACL :
+				acl = 1;
+				break;
+#endif
 			case OPT_UMASK :
 				ctx->dmask = ctx->fmask = intarg;
 				want_permissions = 1;
@@ -436,7 +443,7 @@ char *parse_mount_options(ntfs_fuse_context_t *ctx,
 	}
 	if (!no_def_opts && ntfs_strappend(&ret, def_opts))
 		goto err_exit;
-	if ((default_permissions || permissions)
+	if ((default_permissions || (permissions && !acl))
 			&& ntfs_strappend(&ret, "default_permissions,"))
 		goto err_exit;
 			/* The atime options exclude each other */
@@ -451,8 +458,10 @@ char *parse_mount_options(ntfs_fuse_context_t *ctx,
 		goto err_exit;
 	if (ntfs_strappend(&ret, popts->device))
 		goto err_exit;
-	if (permissions)
+	if (permissions && !acl)
 		ctx->secure_flags |= (1 << SECURITY_DEFAULT);
+	if (acl)
+		ctx->secure_flags |= (1 << SECURITY_ACL);
 	if (want_permissions)
 		ctx->secure_flags |= (1 << SECURITY_WANTED);
 	if (ctx->ro)
diff --git a/src/ntfs-3g_common.h b/src/ntfs-3g_common.h
index c95383f0..383dbe01 100644
--- a/src/ntfs-3g_common.h
+++ b/src/ntfs-3g_common.h
@@ -54,6 +54,7 @@ enum {
 	OPT_NO_DEF_OPTS,
 	OPT_DEFAULT_PERMISSIONS,
 	OPT_PERMISSIONS,
+	OPT_ACL,
 	OPT_UMASK,
 	OPT_FMASK,
 	OPT_DMASK,
@@ -120,6 +121,7 @@ typedef struct {
 	BOOL windows_names;
 	BOOL ignore_case;
 	BOOL compression;
+	BOOL acl;
 	BOOL silent;
 	BOOL recover;
 	BOOL hiberfile;