lots going on in this post, so forgive me if i miss the mark here...
1) in HTTP, URLs don't garuntee objects in the responses, they only garuntee _messages_. and context of the request counts. so, an admin user making a request to a URL is likely to see a diff response than a guest user. both are correct even when both contain different ontent.
2) HTTP services can use more than the URL to determine context to composing a response. the value of the AUTHORIZATION header is a good exampe.
3) therefore, using config data to modulate a response to a URL is not only OK, it is quite common
4) now, if you want to make it possible to *edit* the config data, then you need to expose that via one or more URLs. the edit experience may only be available to admin users (/edit-config/ might return a 200 w/ content for the admin, and a 404 or 403 for guest accounts).
5) finally, i have no idea what you mean here by "owns it"
hope this helps