With creating authorization fields and an authorization object for your service and with the implementation of a protection against unauthorized read and creation, you can implement a protection of your service against unauthorized use on field level.
After this, you can implement authorizations on field level that can be granted to business users.