No, they would need to put onto a separate module or URI pattern that could then be unsecured vs your PUT
/ords/hr/resource/open/ - unsecured add your GET here
/ords/hr/resource/notopen/ - secured add your PUT here
That's what I had suspected and I figured it was going to be a case of different module or URI/pattern. Glad to have it in writing from an authority on the subject though, and thanks for all the great content.