Those are both good ideas. I wrote kentico support and the response was
"The classes from the Globalization (ie cms.country, cms.state) module are only accessible for Global administrators and there is no way to allow access for other users. If you need to access these objects using REST, the user must have the Global administrator privilege."
"If you really need to access this data from a non-global admin and you'd like to look into other coding possibilities, another great way to do this is with global event handlers: https://docs.kentico.com/k10/custom-development/handling-global-events/reference-global-system-events. You can create a handler that triggers on the RequestEvents.PostAuthorize.Execute event and runs some code if the requested URL matches a certain schema (ie- http://mysite.com/custom/getcustomtabledata). I recently built a custom module that uses this approach to provide data (securely) at specific URLs, and it works great."