Authorization is hard - and authorization is often conflated with authentication and identity. We think that tightly coupling "Identity and Access Management" in a single solution is the wrong approach. These two concerns should be clearly separated.
As your software becomes more complex, not maintaining this separation leads to problems. Back in 2016 we wrote a blog post that expressed this concern.
Identity is universal, whereas permissions are application specific. This is why the identity system should not define permissions.
Instead, identity should be one of the inputs to an authorization system. The combination of identity and an application-specific policy produces the actual permissions for an application.
While there are many ways to model authorization, we found that the concept of roles and permissions to be the most prevalent. Please watch the below recording from NDC London 2018 to get the full background.