Ideally we would have al business logic in a separate layer. We could use 2 approaches to access these logic

1. Keep services layer free of authorizations. This makes it easier to re-use in other solutions (batch processing, 3rd party that needs access). The authorization then should be done in the views. The downside of this is that we need to do permission checking per view and might be doing a lot of duplicate boilerplate code.
2. Integrate authorizations in the services layer. This will uniformly define access to this logic. The downside is that it makes it harder to integrate in other solutions (that might use different authorization model)

A combination of 1 & 2 is also possible. We could have an unauthorized version of the functions and an authorized version. We then only allow the authorized versions to be used from the view. The unauthorized versions can be used in other solutions.