PASOE web transport's default security is set very coarse grained, meaning that if a client is authenticated and has the right role they can access anything in the /web/** relative URI.
There are two possible solutions to adding additional fine grained access control:
Write ABL code in your web handlers that authorizes the user ( Client-Principal ) to a particular handler's URI or to sub paths
Add Spring Security <intercept-url> elements in your oeablSecurity-*.xml configuration - with one <intercept-url> per web handler
The former exposes the ABL business logic to additional risk and requires yet another location where role based authorization has to be configured and implemented. The later is safer ( because it runs in protected code space ) and is easily configurable at the end production site.