We need to introduce a permission that gets checked against the IAM token, so that only authentication users with Optimize application permission can actually access Optimize.

This could look something like write::*, as Optimize has no real concept beyond access at the moment. If an authenticated user doesn't have that permission, they should not be allowed to access Optimize