Many web service operations mirror those in the GUI and could use the same permissions, rather than all defaulting to 'remote api' permissions. This task is to review the permissions and services and add an appropriate permission check. The new dataset and collection services all identify the user and test access control already, so checking permissions should be incremental, assuming there's a matching permission. Some flexible services, e.g. the SPARQL service, might remain with the remote api permission (or similar) with the possibility of only allowing admins/power users and/or privileged apps to access them - moving the other services off to other permissions will make it easier to restrict these.