...
This is getting messy. I think we could use a more robust alternative to implement this. But first, here are the authorization checks we know of so far have implemented or want to implement in the MTB timeframe (described in terms of access to objects in the REST API, rather than through the several endpoints that are needed to expose each object in the API itself, and skipping participant-facing APIs):
...