> the response for that function should maybe differentiate between "401 because you didn't authenticate" and "401 because your privileges are too low".

I'd tend to think it more proper if it were 401 you didn't authenticate and 403 you're forbidden from doing that with those user rights, but you have to be careful about exactly how detailed your messages are, lest they get tagged as a CWE-209 in your next security audit.