From what I have read, AirBnB and Google are the most well known companies using this sort of approach. Facebook on the other hand, (who have a very complex permissions model) build this into the domain model, so any user/service accessing data, is guaranteed to only get data they have permission to view. No need for every service to check, and impossible for them to not check, or apply the permissions incorrectly even after checking. This seems to be a common approach from other smaller companies I have discussed with. Each service is responsible for its own permissions. And when data is propagated between services (e.g. via RPC), permissions should be applied at this time.