breeze - BreezeJS + Asp.Net Web Api Security -

i have been looking @ breezejs , want try searched lot , still cannot understand how security handled while using breeze. here know:

according post on ideablade forums (creators of breezejs), need single api controller of our entities. api controller contain 1 metadata method, 1 method each entity, 1 save method, 1 delete method. way need 1 entitymanager on client side configured 1 service endpoint.

my questions:

1. my understanding of "single controller entities" correct?

2. if understanding correct how can apply security on our controller? if want user role access entities, cannot put authorize filter on controller or method. may want user have read-only access while other users having read-write access on entity. may want return aggregated data user while restricting access full details.

please help. thanks.