How to provide limited access/authorisation in webservice at interface level, at user level and at group level?