A Management API is by default available to any authorized Umbraco backoffice user.
To further restrict access we can apply access policies using the [Authorize] attribute.
Built-in access policies
Umbraco maintains a set of built-in access policies we can leverage in our own APIs. The policy names are defined in Umbraco.Cms.Web.Common.Authorization.AuthorizationPolicies.
For example, the following makes the API accessible only to users with Content section access:
We can also define our own access policies. Custom access policies are a great way of keeping access control in sync across multiple endpoints, as projects evolve over time.
A custom access policy is defined by means of composition.
The following access policy definition requires the user to be a member of both the Umbraco Administrators group and a custom defined group: