Adobe Experience Manager Sites & More

I am looking beyond these roles, where users's context and what users can do within the application. Built-in user/groups work well but have their limitations. Hence we are looking for more scalable and in-depth authorization options. 

There are multiple authorization frameworks in the market, but couldn't find an example of how to implement them. 

E.g. in a headless CMS,  I want to put authorization layer before user's action reaches to an API

The underlying repository is quite flexible, and also the authorization mechanism is extensible (although rarely done). But the authorization is implemented on the repository level; that means if you have read access to a resource, you can read it for whatever purpose you need to access it. That means, you can read this resource you cannot restrict that this read can only be done for download and not for a copy and paste action to a location where you have write access to.

So can you please provide a few examples for activities, which you want to authorize separately?

I am building a loyal rewards site. As part of this, I have multiple tiers for users Silver, Gold, Platinum 

I have created a sign-in flow with an external Identity provider (Okta, Microsoft AD, etc) I have a Graph structure that defines what users can do where and how. This structure is complex and goes beyond standard roles. E.g. https://play.fga.dev/sandbox/?store=github 

When a user logs in, based on his/her profile, I will show specific content. Showing content is slightly nuanced: I am not considering only the user tier to display the content; I want to consider the user's context, e.g., what a user can do within an application object (Claim a coupon, redeem a coupon, share a tweet).  

The FGA Example I have provided above can help, but I would need to build and use FGA APIs from scratch; I am looking for an OOTB way to do this. 

If you can represent your application objects in the repository, you can put ACLs on it and provide access to them via authorization. 

Then you could bind the code for this application object via a ResourceType to that object.

For example you create the the resource /content/actions/redeem-a-coupon. You only give read access for the groups "gold", because the "silver" members should not be able to redeem a coupon. Set a the "sling:resourceType" property to "myapp/actions/redeem-a-coupon" and implement the various actions below that resourcetype using various selectors.

And then you can make the UI calls like

* /content/actions/redeem-a-coupon.ui.html to display the dialog.

* /content/actions/redeem-a-coupon.submit.html to call the servlet which accepts the submission.

* ...

(You should be able to represent the relations between the various principals in the linked URLs via the AEM ootb functionality, users and groups.)

That's my challenge my Object repository is already defined externally and I am trying to integrate my content with it.
Also this approach would work for a standard role but may face scalability issues:
Check if a user is allowed to redeem a coupon if
1- He/She belongs to the silver tier
2- He/She can redeem a coupon if the coupon is for products A,B, C but not D
3- As a silver tier member allow redeem action for subscriber members only

It becomes challenging to create this sort of authorization data model. Please let me know if I am. missing anything 

Still looking........