The service needs to authenticate each client via HTTP basic authentication by a user name and a corresponding password. If a unauthenticated client tries to access the service, it will response with a <code>401</code> (Unauthorized) HTTP error code.
Furthermore the service must retrieve the authenticated users role and object ownership and respect their respective value when returning collections and elements and acting on HTTP methods. If a client tries to get, modify or delete an element for which it is not authorized, the services will response with a <code>403</code> (Forbidden) HTTP error code and includes the actual a descriptive authorization validation message within the JSON error object.
=== Data interchange format ===