Need to put access control on REST API
If a non-admin user has no permission to a particular module say "Audit" but the group to which he belongs has permission that module, then give access to that non-admin user. User permissions is a union of his and his group permissions.
Use-cases to be covered:
Get AuditLogs (user-with-no-permission) GET service/assets/accessAudit
Update user permission (non-admin) POST service/xusers/permission/user
Update group permission (non-admin) POST service/xusers/permission/group