For admin services we define a permission level and through a permission handler we check whether user is assigned to a particular role which has requested permission in that service.
Customizing AuthorizationManager we can engage policy base permission evaluation. (But this point we don't get service meta data, you try to access only the required permission level, and user) You can configure it in. [WSO2IS]/repository/conf/user-mgt.xml
But if you need to get the permit decision on service (instead on permission level) will have to use additional layer like (ex ESB)