User permissions for commands and actions

For commands I can add user permissions like this:

'Add item': command 
   can-execute: user .'Known user'?'Yes'.'Is administrator'?'Yes'
{ ... } => ...

But with actions this is not allowed by the compiler. Does this mean actions are always executable for all users?

An action is an operation – or chain of operations – that a webclient executes. If the action implementation specifies operations for which a webclient user does not have required permissions, the user cannot execute that corresponding part of the action and the action execution fails.

A command is executed by the datastore/application engine, which is the backend. The datastore engine checks if a user has all required permissions for executing a command. For that, the user needs read permission for the node on which the command is called, as well as the required permissions specified by can-execute: ... for the command.