Base access restriction works like:
- access to user is restricted if they have not appropriate Role.
- access to application is restricted if it isn't subscribed to API.
new access restriction mode should be added:
- access to user is restricted if they come through XXX application but they don't have XXXuser Role