This article seems somewhat related. More of a use case than best practices but good to keep in mind. http://searchsecurity.techtarget.com/tip/User-provisioning-best-practices-Access-recertification
Here’s another article on the importance of good user access control : https://esj.com/articles/2007/03/27/access-control-10-best-practices.aspx?m=1
More best security practices : https://www.owasp.org/index.php/Access_Control_Cheat_Sheet#tab=Introduction
XACML stands for “eXtensible Access Control Markup Language” not sure if it helps me at all or if it’s been adopted at all but it might be interesting to see how that language looks. https://en.m.wikipedia.org/wiki/XACML
Todo: How does windows do it?
Todo: How do other apps do it?