In the PlatformUI implementation, permissions were checked in the controller using the setup/system_info policy.

Some of the service layers of Support Tools (EZP-25598 and more) should cover permission checking using a similar approach (more granularity might come up depending on the domain's evolution). One of the service / value object we have in mind is Reports, a Report being a collection of SystemInfo (full system report, software system report...). It would be a good layer, since this is what we intend to expose.

A clean approach would be to handle this in a decorator. It would allow us to use permission aware versions of the service in controllers / view builders, and still have access to a permission-free version.