Two more thoughts to add: -
1 - Operations that go on to other things i.e. if an operation updates other attributes or calls other operations does it automatically have access or still perform access control check as the user?
i.e. May want to stop a user from modifying indivudal attributes but let them call an operation that updates multiple at once.
2 - Pre-flight checks will be good but still need to consider the request may still fail authorization.
A users group membership may not be static.
Permissions on the server could be updated.