Access Controls

The API supports two forms of access control:

  • Roles on organisation level
  • Access Control Lists (ACL) on application level


Users with the role "ROLE_CHIEF" are administrators of an organisation. They have access to everything, are able to create new applications, and can modify the access control lists.

Access Control Lists

For precise control over permissions ACLs on application level can be used. An ACL can either apply to a single user or to a team, and it always restricts access to a single application and its sub components.

Name Description
view Required for most GET requests
delete Required for most DELETE requests
create Required for most POST requests
edit Required for most PATCH requests
scan Required for scan related actions
manage Extended application access (moderation)

Certain requests require combinations of permissions. For example, to modify a scan a user needs the permissions "scan" and "edit".

When permission requirements are not met a 403 error is thrown.