I've standardized on a couple defaults that save me a lot of pain down the road. First is I always tenant by an "Organization" as the article suggests, even when the initial organization is a user of one. This allows for creating teams or organization sharing. Which for anything other than "will always be a single user app" every app eventually wants multi-user organizations.

Two, I appear as RBAC but implement ABAC under the hood. Technically the App is ABAC, but to the initial users, all they see are Roles. They cannot configure their resources. Later on, I can build interfaces for ABAC to manage their own Resources and Roles.

Bonus third, all Resources resolve to URL routes GET or POST. The application firewall prevents calls to URLs that they do not have resource permission. The server strips links and buttons from the HTML that they do not have permission to (or decorates them with a style). Thus there is no "if has resource show" code all polluting my UI.