diff --git a/endpoints/appr/test/test_api_security.py b/endpoints/appr/test/test_api_security.py
index 6e60cdb1e..561945074 100644
--- a/endpoints/appr/test/test_api_security.py
+++ b/endpoints/appr/test/test_api_security.py
@@ -8,49 +8,81 @@ from endpoints.appr.registry import appr_bp, blobs
 from endpoints.api.test.shared import client_with_identity
 from test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file
 
-@pytest.mark.parametrize('resource,method,params,owned_by,identity,expected', [
-  ('appr.blobs', 'GET', {'digest': 'abcd1235'}, 'devtable', 'public', 401),
-  ('appr.blobs', 'GET', {'digest': 'abcd1235'}, 'devtable', 'devtable', 404),
+BLOB_ARGS = {'digest': 'abcd1235'}
+PACKAGE_ARGS = {'release': 'r', 'media_type': 'foo'}
+RELEASE_ARGS = {'release': 'r'}
+CHANNEL_ARGS = {'channel_name': 'c'}
+CHANNEL_RELEASE_ARGS = {'channel_name': 'c', 'release': 'r'}
 
-  ('appr.delete_package', 'DELETE', {'release': 'r', 'media_type': 'foo'}, 'devtable', 'public', 401),
-  ('appr.delete_package', 'DELETE', {'release': 'r', 'media_type': 'foo'}, 'devtable', 'devtable', 404),
+@pytest.mark.parametrize('resource,method,params,owned_by,is_public,identity,expected', [
+  ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', False, 'public', 401),
+  ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', False, 'devtable', 404),
+  ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', True, 'public', 404),
+  ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.show_package', 'GET', {'release': 'r', 'media_type': 'foo'}, 'devtable', 'public', 401),
-  ('appr.show_package', 'GET', {'release': 'r', 'media_type': 'foo'}, 'devtable', 'devtable', 404),
+  ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', False, 'public', 401),
+  ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', False, 'devtable', 404),
+  ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', True, 'public', 401),
+  ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.show_package_releases', 'GET', {}, 'devtable', 'public', 401),
-  ('appr.show_package_releases', 'GET', {}, 'devtable', 'devtable', 200),
+  ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', False, 'public', 401),
+  ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', False, 'devtable', 404),
+  ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', True, 'public', 404),
+  ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.show_package_releasse_manifests', 'GET', {'release': 'r'}, 'devtable', 'public', 401),
-  ('appr.show_package_releasse_manifests', 'GET', {'release': 'r'}, 'devtable', 'devtable', 200),
+  ('appr.show_package_releases', 'GET', {}, 'devtable', False, 'public', 401),
+  ('appr.show_package_releases', 'GET', {}, 'devtable', False, 'devtable', 200),
+  ('appr.show_package_releases', 'GET', {}, 'devtable', True, 'public', 200),
+  ('appr.show_package_releases', 'GET', {}, 'devtable', True, 'devtable', 200),
 
-  ('appr.pull', 'GET', {'release': 'r', 'media_type': 'foo'}, 'devtable', 'public', 401),
-  ('appr.pull', 'GET', {'release': 'r', 'media_type': 'foo'}, 'devtable', 'devtable', 404),
+  ('appr.show_package_releasse_manifests', 'GET', RELEASE_ARGS, 'devtable', False, 'public', 401),
+  ('appr.show_package_releasse_manifests', 'GET', RELEASE_ARGS, 'devtable', False, 'devtable', 200),
+  ('appr.show_package_releasse_manifests', 'GET', RELEASE_ARGS, 'devtable', True, 'public', 200),
+  ('appr.show_package_releasse_manifests', 'GET', RELEASE_ARGS, 'devtable', True, 'devtable', 200),
 
-  ('appr.push', 'POST', {}, 'devtable', 'public', 401),
-  ('appr.push', 'POST', {}, 'devtable', 'devtable', 400),
+  ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', False, 'public', 401),
+  ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', False, 'devtable', 404),
+  ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', True, 'public', 404),
+  ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.list_channels', 'GET', {}, 'devtable', 'public', 401),
-  ('appr.list_channels', 'GET', {}, 'devtable', 'devtable', 200),
+  ('appr.push', 'POST', {}, 'devtable', False, 'public', 401),
+  ('appr.push', 'POST', {}, 'devtable', False, 'devtable', 400),
+  ('appr.push', 'POST', {}, 'devtable', True, 'public', 401),
+  ('appr.push', 'POST', {}, 'devtable', True, 'devtable', 400),
 
-  ('appr.show_channel', 'GET', {'channel_name': 'c'}, 'devtable', 'public', 401),
-  ('appr.show_channel', 'GET', {'channel_name': 'c'}, 'devtable', 'devtable', 404),
+  ('appr.list_channels', 'GET', {}, 'devtable', False, 'public', 401),
+  ('appr.list_channels', 'GET', {}, 'devtable', False, 'devtable', 200),
+  ('appr.list_channels', 'GET', {}, 'devtable', True, 'public', 200),
+  ('appr.list_channels', 'GET', {}, 'devtable', True, 'devtable', 200),
 
-  ('appr.delete_channel', 'DELETE', {'channel_name': 'c'}, 'devtable', 'public', 401),
-  ('appr.delete_channel', 'DELETE', {'channel_name': 'c'}, 'devtable', 'devtable', 404),
+  ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', False, 'public', 401),
+  ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', False, 'devtable', 404),
+  ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', True, 'public', 404),
+  ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.add_channel_release', 'POST', {'channel_name': 'c', 'release': 'r'}, 'devtable', 'public', 401),
-  ('appr.add_channel_release', 'POST', {'channel_name': 'c', 'release': 'r'}, 'devtable', 'devtable', 404),
+  ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', False, 'public', 401),
+  ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', False, 'devtable', 404),
+  ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', True, 'public', 401),
+  ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.delete_channel_release', 'DELETE', {'channel_name': 'c', 'release': 'r'}, 'devtable', 'public', 401),
-  ('appr.delete_channel_release', 'DELETE', {'channel_name': 'c', 'release': 'r'}, 'devtable', 'devtable', 404),
+  ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', False, 'public', 401),
+  ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', False, 'devtable', 404),
+  ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', True, 'public', 401),
+  ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', True, 'devtable', 404),
+
+  ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', False, 'public', 401),
+  ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', False, 'devtable', 404),
+  ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', True, 'public', 401),
+  ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', True, 'devtable', 404),
 ])
-def test_api_security(resource, method, params, owned_by, identity, expected, app, client):
+def test_api_security(resource, method, params, owned_by, is_public, identity, expected, app, client):
   app.register_blueprint(appr_bp, url_prefix='/cnr')
 
   with client_with_identity(identity, client) as cl:
     owner = model.user.get_user(owned_by)
-    model.repository.create_repository(owned_by, 'someapprepo', owner, repo_kind='application')
+    visibility = 'public' if is_public else 'private'
+    model.repository.create_repository(owned_by, 'someapprepo', owner, visibility=visibility,
+                                       repo_kind='application')
 
     params['namespace'] = owned_by
     params['package_name'] = 'someapprepo'