https://www.youtube.com/watch?v=1gTRqFAZt4M Discontinued Alfresco Workdesk offers granular Role Based Access Control to define which functionalities users can access based on their role. While working to implement a replacement solution, I had to find a way to replicate this feature, and I found it in Apache Shiro. Using a fairly simple mechanism, I was able to map granular permissions (one for each method exposed by our custom REST API) to Alfresco groups, which act as roles. Moreover, combining this with Spring HATEOAS, it was possible to include in each JSON response only the links to the functionalities the user can actually access, so that our front-end client was able to determine accordingly what page components to display.