I believe you are now talking about identify management (Authentication). That would fall into the caveat I mentioned 'creating a valid auth context for each recipient'. It would be somewhat system dependent whether this would/should be possible. e.g. 'Is Gmail trusted to get Docs for any user?'. Is permissions here about business rules or security? If it's about security then it doesn't really make sense to separate data and permissions because I could just bypass the permissions, ignore the result, or even worse, apply it to the data/logic incorrectly. In this case where we want to view permissions, and also apply them as security, then essentially the permissions have become a separate (related) resource to the data, in which case, a separate endpoint/method to access permissions makes sense. But that doesn't directly imply a generalised implementation across verticals?