diff --git a/plugins/acl/role-based-access-checkers/pom.xml b/plugins/acl/role-based-access-checkers/pom.xml
new file mode 100644
index 00000000000..06cee2020db
--- /dev/null
+++ b/plugins/acl/role-based-access-checkers/pom.xml
@@ -0,0 +1,32 @@
+
+
+ 4.0.0
+ cloud-plugin-acl-role-based-access-checkers
+ Apache CloudStack Plugin - ACL Role Based Access Checkers
+
+ org.apache.cloudstack
+ cloudstack-plugins
+ 4.3.0-SNAPSHOT
+ ../../pom.xml
+
+
diff --git a/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
new file mode 100644
index 00000000000..18fcdf9cd04
--- /dev/null
+++ b/plugins/acl/role-based-access-checkers/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java
@@ -0,0 +1,74 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.acl.api;
+
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+
+import org.apache.cloudstack.acl.APIChecker;
+import org.apache.cloudstack.acl.AclRole;
+import org.apache.cloudstack.acl.AclService;
+import org.apache.log4j.Logger;
+
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.user.Account;
+import com.cloud.user.AccountService;
+import com.cloud.user.User;
+import com.cloud.utils.PropertiesUtil;
+import com.cloud.utils.component.AdapterBase;
+import com.cloud.utils.component.PluggableService;
+
+// This is the default API access checker that grab's the user's account
+// based on the account type, access is granted
+@Local(value=APIChecker.class)
+public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
+
+ protected static final Logger s_logger = Logger.getLogger(RoleBasedAPIAccessChecker.class);
+
+ @Inject AccountService _accountService;
+ @Inject AclService _aclService;
+
+ protected RoleBasedAPIAccessChecker() {
+ super();
+ }
+
+ @Override
+ public boolean checkAccess(User user, String commandName)
+ throws PermissionDeniedException {
+ Account account = _accountService.getAccount(user.getAccountId());
+ if (account == null) {
+ throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId() + "is null");
+ }
+
+ List roles = _aclService.getAclRoles(account.getAccountId());
+
+
+ boolean isAllowed = _aclService.isAPIAccessibleForRoles(commandName, roles);
+ if (!isAllowed) {
+ throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName);
+ }
+ return isAllowed;
+ }
+
+}