Declare what combination of permissions are allowed to access an endpoint (eg. school or course roles, and ownership/share permissions), similar to Zod
Create middleware to restrict these endpoints
Easy way to start is to just start with school (user) roles
Might be useful to look into Passport JS, they might have something already built for this
School + class level roles