API permissions Best Practice

In the examples the context that is used in the policy contains the HTTP method and URL split.
I expected to see something around the resource, action and maybe some other parameters so the policy is reusable between different modules regardless of the specific invocation method.
Is this just a technical example? Is this considered a best practice? If not, are there resources about P&P?