If a user has no write permissions to any host groups, he shouldn't be able to create, update or delete actions. It is currently forbidden in the frontend (most likely due to a bug, will be fixed in ZBX-6640) but possible via the API.

This permission check should be moved from the frontend to the API.