What is REST API and user roles design Best Practice?

Question

I'm developing a Grails REST App. I've three user roles: BusinessOwner, User, Admin, Public(Not Authentication)

I've endpoints like api/business/1.

When a user with BusinessOwner role calls that, it returns all details of a business but if user with Public(Not Authentication) role calls that, it returns a subset of the details. So the question is how to implement the endpoints:

1- Having One endpoint like api/business/1 and check what the user role is and return proper values (several if/else statements,....)

OR

2- Having separate API areas like the following where each has it's own specific security and returns specific subset:

api/admin/business/1

api/businessOwner/business/1

api/public/business/1

Which one is better? and

What is the best practice in designing REST APIs and applying user roles?

Answer 1

Authentication and Authorization

I am of the opinion that a URL's should not dictate or otherwise separate web services based on authorization. For a well formed RESTful service a token should be sent in the HTTP header (as happens in OAuth 2.0).

Most mature RESTful frameworks will have a Authorization flow built in. As far as I know none of them implement different URL's for the same service as an authorization mechanism