REST API should have basic Integration Tests that prove that a new user account (or one without any group memberships) has no special access rights. Put another way, they have the same permissions as Anonymous users except they can manage their account information.
Some basic tests should prove:
- A newly created account has no groups
- A newly created account has access to no features (see new "/authz/features" endpoint)
- However, a newly created account can manage their own EPerson/Profile
Some of these tests may already exist under EPersonRestRepositoryIT. A closer analysis should be done.