Marking Rest Endpoints as @Permittable has the following consequences:

value = AcceptedTokenType

  • Endpoints marked as @Permittable(AcceptedTokenType.GUEST) or @Permittable(AcceptedTokenType.TENANT) are listed when GET /permittables is called.
  • Endpoints marked as @Permittable(AcceptedTokenType.GUEST) have no additional protection.
  • Endpoints marked as @Permittable(AcceptedTokenType.SYSTEM) and endpoints without a @Permittable annotation require a system token for access.
  • Endpoints marked as @Permittable(AcceptedTokenType.TENANT) or just @Permittable require a tenant token for access. They cannot be accessed if no tenant is provided in the request header.
  • The GET /permittables endpoint itself is marked as @Permittable(AcceptedTokenType.GUEST) which means that no token is required to acquire a map of guest and tenant functionality a service provides.


  • In isis Roles are composed of permissions on Permittable Groups. By specifying a groupId, you define which PermittableGroup in isis, your endpoint should be part of when your microservice is provisioned for a tenant. PermittableGroups are a convenience for listing and displaying role permissions in the UI.


  • You can specify a URI other than the one you define in the request mapping for your endpoint for the permissions.
  • When specifying a custom URI, you can replace a path parameter with the text "{useridentifier}". When the endpoint is called, this will cause the value of the parameter to be checked against the identifier of the user calling the endpoint. This can be useful if you wish to make it possible to permit users to examine and change data which belongs to them, but not to examine and change data on the same endpoint which belongs to other users. For example, in isis, /user/{useridentifier}/password is used to let the user change his own password, but not the password of another user.
  • If you do not specify a custom URI via the permittedEndpoint parameter, all path parameters are replaced with *. This means that any value is allowed for all path parameters.
  • You can place multiple @Permittable annotations on an endpoint, each one with a different value for permittedEndpoint and groupId.



Keep in mind that if a user has a /* permission, then all the endpoints which match that * are reachable for the user even if they are system endpoints.

  • No labels