Permissions: with CMIS like with all other Nuxeo APIs, the access to documents obeys the user's permissions. This means that you will not be able to see or search documents to which you don't have Read access granted, and won't be able to create, modify or delete documents to which you don't have Write access.
Authentication: this is the process through which you state and prove which user you actually are. Authentication depends on the protocol employed by your CMIS connection. Nuxeo 5.4.2 supports the standard AtomPub (REST) and SOAP (Web Services) bindings and the authentication methods standardized by CMIS for them:
For AtomPub, you authenticate through HTTP Basic Auth.
For SOAP, you authenticate through the Web Services Security (WSS) UsernameToken.