Define the Access permissions

To define the access permission for the service, perform the following:

Under Who can access the content by this service?, select one of the following:

• Everyone
  By selecting this option, you set the Access property to Anonymous.
  This option gives permissions to anonymous and authenticated users to read the content defined by the web service and also gives permissions to authenticated users to modify the content (perform CRUD operations), based on their roles and permissions, defined in Sitefinity.
• Authenticated users
  This is the default value. By selecting this option, you set the Access property to Authenticated. 
  This option restricts anonymous users from either reading or modifying the content provided by the web service. Anonymous users will receive a 401 Unauthorized status code. Only authenticated users are allowed to view and modify the content (perform CRUD operations), based on their roles and permissions, defined in Sitefinity CMS. Authenticated users who do not have permission to manipulate data will receive a 403 Forbidden status code.
• Administrators only
  By selecting this option, you set the Access property to Admin.
  This option allows only admin users to access the service and perform CRUD operations with the data. Authenticated users will receive a 403 Forbidden status code and anonymous users will receive a 401 Unauthorized status code.

To restrict the user access by the domain, which the users belong to, select Allow users from specific domains only. 
This checkbox sets the AccessControlAllowOrigin (CORS) property, also known as the CORS policy. By default, CORS is enabled and using this setting.
Enter one of the following:

• Enter the comma separated list of allowed domains, one per line.
• Enter *
  Every request from every domain will be allowed. We do not recommend this, because there may be malicious users who would try to exploit the service. We recommend to specify only domains that are trusted.
• Leave the box empty.
  If you do not select the checkbox or leave the list empty, then the CORS policy will fallback to the AccessControlAllowOrigin setting in the SecurityConfig.config file. If that setting in the SecurityConfig.config file is empty, then requests only from the same domain are allowed.
  IMPORTANT: In case there is a setting in the web.config file that adds a custom value for the Access-Control-Allow-Origin Header to the custom headers section, then the SecurityConfig.config file setting will conflict with the web.config setting. Thus, to avoid conflict, you need to use only one of the settings and omit the other.
  For more information about custom headers, see the IIS documentation.