Authorization
Any back-end service with users will end up implementing some form of authorization (authz). While this is often done intuitively, there are more formal models for authz. Furthermore there are off the shelf libraries you can use to help implement those models.
This post will not discuss identifying the caller (authentication), only what the caller can do (authz).