GET /subscription by notificationID should be restricted

Right now, to perform GET /subscription?notificationId=X operation user should has one of role (users.datalake.ops, users.datalake.admins, users.datalake.editors) but according security check access to this operation should be restricted to only users.datalake.ops.