...
With Secure Impersonation - Security 3.5, user services will be started as the logged in user. However, service endpoints for accessing datasets can be called by any user. Hence, it is necessary to make sure that any dataset accesses via such endpoints is authorized. One way of doing this would be to add a handler hook to the NettyHttpService that runs the service, which in its preCall method will have an authorization check.
Note: This approach may not work, because even if this is done, how would we get the entity (the dataset) and the action (READ/WRITE, etc) in the hook. TBD, to figure out during implementation.
Authorizing list operations
...