User Access Control Limits
The same ACLs are applied to all requests.
Every class in the system has ACLs (Access Control Limits ) which prevent CRUD ( Create, Read, Update and Delete) of records that are unauthorized. These ACLs are applied to all requests regardless of where or how the requests is made.
The same ACLs apply to web forms, SOAP requests, ReST or any other protocol.