2
The simplest way to do this is to implement a custom callback. The callback is passed both the user object and the service URL, so you can limit access based on whatever combinations are required. If the test fails, raise PermissionDenied to abort the request (the same thing that is done if an invalid service is provided). If you do not require any custom attributes, simply return an empty dictionary on success.
Source:stackexchange.com