Add a path-based ACL for a scripted REST API

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Path-based Access Control Levels (ACLs) enable you to define access control rules for scripted REST API endpoints using their resource path. This can be done independently of the ACL references on the operation record. Path-based ACLs enable more flexible security configurations, especially for read-only APIs and guest user experiences.

    Before you begin

    Role required: security_admin or admin

    Additional requirement: the full resource path from the API's SysWS operation record (found in the "Resource path" field)

    About this task

    Path-based ACLs are defined in the sys_security_acl table with the type "REST Endpoint" and apply to specific REST API resource paths. Unlike operation-referenced ACLs (which only apply when "Requires authentication" is checked), path-based ACLs are evaluated for every request to matching resource paths.

    When to use Path-Based ACLs:

    • You must add security to a read-only API that you can’t modify
    • You want to enable guest access to public APIs with controlled authorization
    • You must grant access based on custom roles not defined in the original API
    • You want to add security layers without modifying the original API record

    Important: Path-based ACLs work alongside operation-referenced ACLs, not in place of them. All applicable ACLs must pass for access to be granted.

    Procedure

    1. Navigate to All > sys_security_acl.list.
    2. Select New.
    3. Select REST Endpoint in the Type field.
    4. Select the necessary HTTP method for the ACL in the Operation field.
      • GET
      • POST
      • PUT
      • DELETE
      • PATCH
      • Or other HTTP methods as needed.
    5. Enter the fill API resource oath in the Resource Path field.
      Example: /api/sn_pa_designer/usage_monitoring/resource
      Tip:
      Copy this value from the "Resource path" field on the SysWS operation record to help ensure accuracy.
    6. Configure the ACL script or condition to define your access rules.
    7. Select submit.

    Result

    The path-based ACL is active and will be evaluated for any requests to this resource path.