Web Service (SOAP) Authorizations
REST Service Authorizations
Service Authorizations and Object Authorizations
WS or REST authorizations are necessary, but not sufficient condition to allow access to data in midPoint. These authorizations are just the "first line" of defense. The user needs to have these authorizations to invoke the service operation. But this authorization does not give access to any data. For practical use-cases the user must also have ordinary (object) authorizations such as read, add, modify or delete to access any midPoint data. Without these authorizations the WS/REST authorizations are almost useless.