# Endpoint access control

Is possible restrict access to any endpoint.

In order for a user to get access to a given API Endpoint, the user must belong to a SecurityRole that has a SecurityPermission for the API Endpoint.

<figure><img src="/files/lj2NBxrsEJFPqpSyaWF5" alt=""><figcaption></figcaption></figure>

he endpoint access control is done also against the objects requested using  the ***fields*** JSON in the HTTP  Header. So for instance if the endpoint Vessel.GET is present and the user  does not belong to a SecurityRole that has a SecurityPermission for the Vessel.GET endpoint, requesting the Voyage resource specifying the following JSON in the fields parameter will get unauthorized (HTTP 401):

```
{ 
   "vessel":{ 
      "vesselName":"*",
      "auxEngine":"*"
   }
}
```

\
If the same user requests with the following JSON, it will get access because vesselName attribute is part of the minimal view of Vessel resource:

```
{ 
   "vessel":{ 
      "vesselName":"*"
   }
}
```

The same access control is performed when a WebhookSubscription is requested. If the user tries to subscribe for an object that has an Endpoint in the system, the subscription will be created only if the user can access to the Endpoint, otherwise Bad request (HTTP 400) exception will be thrown. <br>

To create a new Endpoint it has to be used the endpoint /ws/rest/Endpoint posting a JSON like this:

```
{
    "resourceName": "Vessel",
    "path": ".",
    "httpMethodType": "GET"
}
```

To create a new SecurityPermission it has to be used the endpoint /ws/rest/SecurityPermission posting a JSON like this:

```
{
    "endpoint": 335928937,
    "permissionName": "Bank.GET",
    "permissionType":  335343886
}
```

To create a new SecurityRole. Post the following JSON to /ws/rest/SecurityRole:

```

{
    "roleName":"testRole"  
}
```

To add a SecurityPermission to a SecurityRole. Post the following JSON to /ws/rest/SecurityRole:

```

{
    "securityPermissions": [
        {
            "key":335928939
        }
    ]
     
}
```

To add a SecurityRole to a User. Post the following JSON to /ws/rest/SecurityRole:

```

{
     
    "securityRoles": [
        {
            "key":335927922
        }
    ]
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://api.dataloy.com/api-release-8.25/user-guides/enterprise-functionality/endpoint-access-control.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.