We should aim to add fine-grained permission checks to the UI. One way to do this is to add a new REST-endpoint /admin/login/whoami that is always open for all, and that responds with a JSON with current user's permissions. If no user is logged in it will respond with empty list and "No user logged in". Else it will respond with e.g.
The Admin UI can then request this endpoint and cache the info, so that it may make decisions to hide/grey out certain menu options throughout the UI. E.g. the create collection button would be disabled if the user lacks the predefined permission "collection-admin-edit".
In theory the UI must also check if the user has a custom permission with path /admin/collections and params action=CREATE, but it is not likely that anyone would create a custom permission for something that is predefined.