Any dial plan can be set to require that the caller have specific permissions. This is an important part of preventing toll fraud or other unauthorized use of your system; see Securing Calls to the PSTN.
Authentication of callers (407 Proxy Authenticate)
If a call triggers a dial plan that requires a permission, and the caller has not already been authenticated, then the sipXproxy will request authentication by sending a 407 challenge response to the request. If the caller has credentials for the domain of sipXecs, then it should respond to that challenge by resending the same request as required by RFC 3261 with Digest authentication as specified by RFC 2617. If this authentication fails, the proxy will respond again with a 407 response (this is good security practice - no information about why the request failed is given to an attacker who is attempting to probe for valid username/password combinations).
If the caller is successfully authenticated, then the proxy uses the identity to look up whether or not the user has the required permissions.
Selecting Dial Plans By Permission Does Not Work
This is admittedly not what you might expect, but fixing it is unfortunately not easy.
When dial plans are evaluated, they are checked in order - the first match for the dial string (the user part of the SIP URL) and domain is used, regardless of whether or not the caller has permission to use it. The permission check takes place later, and no matter what the outcome of that check, only the first matching dial plan is tried.
This means that it will not work to have more than one dial plan that matches the same dial strings and use permissions to control which is used for a given call.