Is this question specific to the OpenAPI apps available on GitHub?
Is it available in the device model ?
The way this works right now is that we have a proxy defined on CAPC that allows OpenAPI Apps to make calls to OpenAPI (OData) and another that allows OpenAPI Apps to make calls to the DA Rest web service.
The 1st uses embedded authentication built into our OData based OpenAPI.
The 2nd does not have authentication mechanism for the DA Rest web services. This means that anyone could run DA Rest web service calls through CAPC regardless of user credentials. Obviously that would not be good. So we built a mechanism into the DA Rest CAPC web proxy to authenticate based on a "white list" of CAPC user names added to a specific CAPC database table.
We would like to provide more options in this area to allow better control of access permissions but we don't have that on the immediate radar.
Another option you brought up is role based Context page controls. This is something we have been looking into for quite some time and have some good ideas here that would allow you to work around this type of issue as well as better control context section visibility based on roles. Again, this is not something on the short/mid term roadmap so it's not a viable option.
I hope this helps clarify!!