...
- user principals (user, group)
- roles assigned to principals (for RBAC, possibly stored in Mode's AccessControlManager ACL)
- coming from the object above the datastream or higher up
- Just enforcing who can modify datastreams means determining node type and checking for that specific permission with respect to the role.
- Restricting by datastream name or other metadata?
REST API-Based Authorization
These approached intercept JAX-RS requests and provide some form of policy enforcement around the API operation.