What ACL on user does Facebook login need

I want to lock down the ACLs so that users cannot see or modify others user accounts. When Facebook login creates a new user (using the loginWithFacebookSDK api call), the user does not get assigned itself as owner. They table permissions seem to need to have permission change too, so I can’t see how I can lock it down to stop that account being able to change its own permissions to enable itself to find other users.

Also the Facebook accounts are both in the social and Facebook roles, so it appears I need to set permissions on both these roles, as if either is set to deny then it cancels out the other. There appears to be no way to go back to inherit mode once its been set, so I cannot undo what I did and get back to a sensible situation either.

Having messed around with the ACL’s at all levels in the tables I cannot see how to get out of the state I am in either.

So I need some advice as to how to reset the ACL’s for the table to be inherited again, and how to ensure that Facebook logins do not get more permissions than they need to their own account only.

Ok, so I have worked out how to get the ACL’s back to the original state of inherited (it was a little un-obvious as the little x does not appear until you hover over the role:)

However I would still like to know the following 3 things:

    how to set the permissions so that a social user can only see and edit their own user and no-one elses, when the social user is created by your loginWithFacebookSDK call on iOS. What are the right ACL's for the users table so that social users can be created by back endless, and used for login but not be able to update other users etc.

I recommend watching this webinar where we explored all these questions:

If you still have a question after you watch it, I’d be happy to clarify.