For commands I can add user permissions like this:
'Add item': command
can-execute: user .'Known user'?'Yes'.'Is administrator'?'Yes'
{ ... } => ...
But with actions this is not allowed by the compiler. Does this mean actions are always executable for all users?
An action is an operation – or chain of operations – that a webclient executes. If the action implementation specifies operations for which a webclient user does not have required permissions, the user cannot execute that corresponding part of the action and the action execution fails.
A command is executed by the datastore/application engine, which is the backend. The datastore engine checks if a user has all required permissions for executing a command. For that, the user needs read permission for the node on which the command is called, as well as the required permissions specified by can-execute: ... for the command.