Hi, In restlet script I have savesearch that the user runs and get data from it, for example: Locations the issue is if the user restrict to one subsidiary could he see all of the locations? (also location that is not in the user's subsidiary) I need that the data the user will see from the search will be only the subsidiary he can see.

In restlet data is fetched based on the tokens it's being called with not the users access. You can restrict the access of data by creating multiple tokens with roles matching to those users. Or provide a payload such that it puts filters based on conditions.

Its not external use of restlet, its internal, so the user itself use the script with no tokens needed

Then you have the user logged in, just get his role from the runtime module. And add a filter on ur search/query.