diff --git a/security.rst b/security.rst
index 96fa07973b4..228644c84ed 100644
--- a/security.rst
+++ b/security.rst
@@ -715,6 +715,10 @@ URL pattern. You saw this earlier, where anything matching the regular expressio
                 # require ROLE_ADMIN for /admin*
                 - { path: ^/admin, roles: ROLE_ADMIN }
 
+                # the 'path' value can be any valid regular expression
+                # (this one will match URLs like /api/post/7298 and /api/comment/528491)
+                - { path: ^/api/(post|comment)/\d+$, roles: ROLE_USER }
+
     .. code-block:: xml
 
         <!-- app/config/security.xml -->
@@ -734,6 +738,10 @@ URL pattern. You saw this earlier, where anything matching the regular expressio
 
                 <!-- require ROLE_ADMIN for /admin* -->
                 <rule path="^/admin" role="ROLE_ADMIN"/>
+
+                <!-- the 'path' value can be any valid regular expression
+                     (this one will match URLs like /api/post/7298 and /api/comment/528491) -->
+                <rule path="^/api/(post|comment)/\d+$" role="ROLE_USER"/>
             </config>
         </srv:container>
 
@@ -752,6 +760,10 @@ URL pattern. You saw this earlier, where anything matching the regular expressio
             'access_control' => [
                 // require ROLE_ADMIN for /admin*
                 ['path' => '^/admin', 'role' => 'ROLE_ADMIN'],
+
+                // the 'path' value can be any valid regular expression
+                // (this one will match URLs like /api/post/7298 and /api/comment/528491)
+                ['path' => '^/api/(post|comment)/\d+$', 'role' => 'ROLE_USER'],
             ],
         ]);