How to achieve fine grained access control in Kong

We’re planning to use Kong for our product which has multiple institutional clients. Each client has user roles e.g. Project Manager, Engineer and so on. We want to achieve multi-tenancy architecture with Kong taking care of authorization for API call, i.e. a request to route /projects/{orgId} such as /projects/1 should be validated if the business user making this request actually has been granted access to this particular route otherwise the request is rejected.

We’ve explored ACL plugin but it simply does blacklisting or whitelisting on consumer groups means we end-up creating services around Kong to manage consumers, groups, permissions etc. which seems a lot of work!

Also, because we need different permissions for different HTTP methods (i.e. GET, POST) applying ACL on routes mean create a different routes for each of the implemented methods on a path. This too sounds not right.

Please suggest what is the ideal approach in this scenario.