Authenticated web GUI interacting with blockchain

Say I would like to implement an application used by several institutions which each have several associates. The associates would need the ability to interact with the application (but aren't necessarily nodes (?)). Thus I would like to build a web interface, providing a way to easily interact with the blockchain. Each institution would like a different interface, conforming to their house style. Also, an associate has to be authenticated to the web interface to be able to use its functionality.

As I understand, each institution would run several nodes. Each node is able to provide a REST API to interact with the blockchain. Each institution would then run their own web service with their own interface interacting with the REST API (ran by one of their nodes)? and thus the blockchain. Then the web service would also have its own (institute-centralized and institute-specific) database which contains associate login details, providing a way to first authenticate the associate before having access to the actual functionality.

Is my way of thinking about this wrong? Also, the REST API would still be directly accessable without authentication. Is there a solution for this?

Thank you for any help or direction.