Every sensitive object access (e.g. access to a sensitive object within the database) MUST be authorized on the server-side (complete mediation).
Access controls SHOULD be applied on different layers if possible (e.g. URL, files, method and object layer) or via an indirection layer to reduce the risk of insecure object references.
Access controls MUST not only verify if the requesting entity has all required roles for specific access but also if this particular entity has the required permission to access a specific data object.
Every process and role SHOULD be implemented as restrictive as possible according to its particular business requirement.
For technical services/API APIs access see 8.13 Service & API Security.