Authentication — proving who someone is — is mostly a solved problem. Buy the library, follow the recipe, do not invent crypto. Two days of work, and a long tail of edge cases.
Authorization — deciding what that someone can do — is where most products spend their actual security budget, and where most products quietly leak. The matrix of roles, resources, and contexts is the part nobody draws because the drawing would be embarrassing.
Draw it anyway. The authorization model is the product, not a footnote.