David,

 

I used ACL of type REST_Endpoint in the Scripted API resource to check if the User who is trying to Authenticate has appropriate roles or not. (OOB Example you can check is an ACL with Name "Scripted REST External Default")

As an endpoint is subjected to a Non Interactive Session, Defining Read/Write ACL's is not appropriate. So defining ACL's of Operation Execute would do the job as it determines who can execute scripts against a particular table.  

 

Thank you,

Aman Gurram