John,
Short simple answer is if you supply credentials (user-ID/password) as part of the REST request that uses a backend BASIC subroutine, then you can do any sort of validation that you want via the backend subroutine. I'm thinking of a user profile that grants different levels of access, but there's all kinds of possibilities with the code you write. There is also the REST level security that MVIS provides as well, I'm just addressing application-level authorization. Regards,