Role management concept for an API

Question

I am currently working on my first headless system.
The API is written in PHP.
It basically consists of three parts:

• endpoints
• functions
• output

Each request to an endpoint is passed to a function which passes the database response to the output.

In order to keep the number of functions manageable, I have made them relatively general.
For example, the lists of customers and employees are created by the same function and the corresponding table is passed via a parameter in the URL.

Now I want to create a rights management system in which the users have different roles and access is thus restricted.

I have thought of three possibilities for this:

• Everything only in the frontend
  Not a good idea, as it is easily hackable.
• Integrate the entire restriction into the output function.
  That's safe, but all records are queried first and then the ones that are not allowed are sorted.
• Make the database queries "even" more dynamic.
  So each query to the database only asks for the rows that the respective role is allowed to see or change.
  This is very time-consuming and the idea of creating general functions is actually obsolete, because they then become very complex.

Is the last, the usual way?
Are there other concepts?