Enforce least privileges and deny by default - Ensure that users and systems only have access to what they need and nothing else.
As fine-grained as possible - Authorization checks should be as specific as possible. Ideally, this means the system has the ability to check access based on specific records and resources.
Implement once and reuse - Keep authz logic in one place to ensure consistent checks and to prevent missed cases and potential security holes.
Maintain an audit log - Keep an authorization log (allow/deny) to track access and conduct audits where necessary.
Open Policy Agent - A policy-based framework for authorization and access control.
Stripe API Docs - Stripe's approach to issuing and managing API keys securely.
XACML - Standard that defines the "Extensible Access Control Markup Language," a declarative fine-grained, attribute-based access control policy language.
Intuit AuthZ - Post detailing Intuit's implementation of an XACML-based authz service.
Google Zanzibar - Google's consistent, global authorization system.