Access Controls

The API supports two forms of access control:

  • Roles on organisation level
  • Access Control Lists (ACL) on application level


Users with the role "ROLE_CHIEF" are administrators of an organisation. They have access to everything, are able to create new applications, and can modify the access control lists.

Access Control Lists

For precise control over permissions ACLs on application level can be used. An ACL can either apply to a single user or to a team, and it always restricts access to a single application and its sub components.

viewRequired for most GET requests
deleteRequired for most DELETE requests
createRequired for most POST requests
editRequired for most PATCH requests
scanRequired for scan related actions
manageExtended application access (moderation)

Certain requests require combinations of permissions. For example, to modify a scan a user needs the permissions "scan" and "edit".

When permission requirements are not met a 403 error is thrown.