Hi Bob,
The way this works right now is that we have a proxy defined on CAPC that allows OpenAPI Apps to make calls to OpenAPI (OData) and another that allows OpenAPI Apps to make calls to the DA Rest web service.
The 1st uses embedded authentication built into our OData based OpenAPI.
The 2nd does not have authentication mechanism for the DA Rest web services. This means that anyone could run DA Rest web service calls through CAPC regardless of user credentials. Obviously that would not be good. So we built a mechanism into the DA Rest CAPC web proxy to authenticate based on a "white list" of CAPC user names added to a specific CAPC database table.
We would like to provide more options in this area to allow better control of access permissions but we don't have that on the immediate radar.
Another option you brought up is role based Context page controls. This is something we have been looking into for quite some time and have some good ideas here that would allow you to work around this type of issue as well as better control context section visibility based on roles. Again, this is not something on the short/mid term roadmap so it's not a viable option.
In regards to who supports this, CA will support 100% the various built-in mechanisms including API calls, SSO and authentication from Apps to CAPC/DA and all other product functionality. The JavaScript and related App contents are under the MIT license and there is no implied support. I personally wrote several of these Apps with the goal of providing some basic examples with the goal of having our customers, partners, and field teams to augment, customize, enhance etc. That's why we went with the MIT license as it provides the most flexibility.
We are happy to help answer questions and I'll personally jump in with input on App building (JavaScript, D3, etc) questions but the Apps themselves are not officially support (although all of the data acquisition is through the supported OpenAPI).
I hope this helps clarify!!
-Jason