Re: Programatically assess whether user can access an app
Depends on your aim, if you call /qrs/app and the request is made as the user itself then the returned apps are only those that the user can see, security rules are applied on API calls too. (this is a QRS API call but the engine call in Eriks post is similar but to a different API). Getting nothing back would mean access to no apps. Similarly you can post app ID to the end of the path for a single app.
Or are you trying to gather this data without the users login context? eg to get a list of what users can do to embed in an app or similar?