Applying User Roles/Permissions to control REST Service GET/POST results

I'm looking to understand how to implement user role/permission based security, not simply to control access to my REST API, but rather what consuming application user can do with the API.

For instance looking for examples to do following with WebApi a) Allow access to GET but not POST, i.e. you can look at object(s) at URI, but you cannot make object at URI b) Allow to PATCH some properties of object at URI, but not others c) When you GET object(s) at URI, some fields are not returned d) When you GET object(s) at URI, objects with certain field value are not returned.

Hope I've given a sufficient picture of what I'm looking to do. I'm trying to google for examples, but I must be using all the wrong keywords so not finding what I'm looking for.

Thanks in advance for any pointers.