diff --git a/composer.json b/composer.json
index aa4ab71a1..ac4d8c228 100644
--- a/composer.json
+++ b/composer.json
@@ -38,5 +38,10 @@
     "require-dev": {
         "guzzle/guzzle": "~3.1.1",
         "behat/behat": "2.4.*@stable"
+    },
+    "autoload": {
+        "psr-0": {
+            "ProcessMaker\\": "workflow/engine/src"
+        }
     }
 }
diff --git a/framework/src/Maveriks/WebApplication.php b/framework/src/Maveriks/WebApplication.php
index c6bb33c7f..5d6ccbc65 100644
--- a/framework/src/Maveriks/WebApplication.php
+++ b/framework/src/Maveriks/WebApplication.php
@@ -252,6 +252,8 @@ class WebApplication
         $apiIniFile = $servicesDir . DS . 'api.ini';
         // $authenticationClass - contains the class name that validate the authentication for Restler
         $authenticationClass = 'ProcessMaker\\Services\\OAuth2\\Server';
+        // $accessControlClass - contains the class name that validate the Access Control for Restler
+        $accessControlClass = 'ProcessMaker\\Policies\\AccessControl';
         // $pmOauthClientId - contains PM Local OAuth Id (Web Designer)
         $pmOauthClientId = 'x-pm-local-client';
 
@@ -297,6 +299,8 @@ class WebApplication
         $this->rest->setAPIVersion($version);
         // adding $authenticationClass to Restler
         $this->rest->addAuthenticationClass($authenticationClass, '');
+        // adding $accessControlClass to Restler
+        $this->rest->addAuthenticationClass($accessControlClass);
 
         // Setting database connection source
         list($host, $port) = strpos(DB_HOST, ':') !== false ? explode(':', DB_HOST) : array(DB_HOST, '');
diff --git a/workflow/engine/src/ProcessMaker/Policies/AccessControl.php b/workflow/engine/src/ProcessMaker/Policies/AccessControl.php
new file mode 100644
index 000000000..c08817c0b
--- /dev/null
+++ b/workflow/engine/src/ProcessMaker/Policies/AccessControl.php
@@ -0,0 +1,105 @@
+<?php
+namespace ProcessMaker\Policies;
+
+use \Luracast\Restler\iAuthenticate;
+use \Luracast\Restler\RestException;
+use \Luracast\Restler\Defaults;
+use \Luracast\Restler\Util;
+use \Luracast\Restler\Scope;
+use \OAuth2\Request;
+use \ProcessMaker\Services\OAuth2\Server;
+use \ProcessMaker\BusinessModel\User;
+
+class AccessControl implements iAuthenticate
+{
+    public static $role;
+    public static $permission;
+    public static $className;
+    private $userUid = null;
+    private $oUser;
+
+    /**
+     * This method checks if an endpoint permission or permissions access
+     *
+     * @return bool
+     * @throws RestException
+     */
+    public function __isAllowed()
+    {
+        $response = true;
+        $oServerOauth = new Server();
+        $this->oUser = new User();
+        $server = $oServerOauth->getServer();
+        $request = Request::createFromGlobals();
+        $allowed = $server->verifyResourceRequest($request);
+        $this->userUid = $oServerOauth->getUserId();
+        $this->oUser->loadUserRolePermission('PROCESSMAKER', $this->userUid);
+        $metadata = Util::nestedValue($this->restler, 'apiMethodInfo', 'metadata');
+        if ($allowed && !empty($this->userUid) && (!empty($metadata['access']) && $metadata['access'] == 'protected')) {
+            $parameters = Util::nestedValue($this->restler, 'apiMethodInfo', 'parameters');
+            if (!is_null(self::$className) && is_string(self::$className)) {
+                $authObj = Scope::get(self::$className);
+                $authObj->parameters = $parameters;
+                $authObj->permission = self::$permission;
+                if (!method_exists($authObj, Defaults::$authenticationMethod)) {
+                    throw new RestException (
+                        500,
+                        'Authentication Class should implement iAuthenticate');
+                } elseif (!$authObj->{Defaults::$authenticationMethod}()) {
+                    throw new RestException(401);
+                }
+            } elseif (!$this->verifyAccess(self::$permission)) {
+                throw new RestException(401);
+            }
+        }
+        return $response;
+    }
+
+    /**
+     * @return string
+     */
+    public function __getWWWAuthenticateString()
+    {
+        return '';
+    }
+
+    /**
+     * @param $permissions
+     * @return bool
+     */
+    public function verifyAccess($permissions)
+    {
+        $response = false;
+        $access = -1;
+        if (!is_array($permissions)) {
+            $access = $this->userCanAccess($permissions);
+        } elseif (count($permissions) > 0) {
+            foreach ($permissions as $perm) {
+                $access = $this->userCanAccess($perm);
+                if ($access == 1) {
+                    break;
+                }
+            }
+        }
+        if ($access == 1 || empty($permissions)) {
+            $response = true;
+        }
+        return $response;
+    }
+
+    public function userCanAccess($perm)
+    {
+        $res = -1;
+        $permissions = Util::nestedValue($this->oUser, 'aUserInfo', 'PROCESSMAKER', 'PERMISSIONS');
+        if (isset($permissions)) {
+            $res = -3;
+            foreach ($permissions as $key => $val) {
+                if ($perm == $val['PER_CODE']) {
+                    $res = 1;
+                    break;
+                }
+            }
+        }
+        return $res;
+    }
+}