Approach #1 doesn't seem all that bad, I feel that's the way to go, when it comes to authorization at granular level, the permission's data needs to persisted under the service's DB.
Syncing data across services in general is a common problem while building microservices, and it's possible via MQs (RabbitMQ, Kafka etc..)
Use Kafka (or Xyz MQ) to stream data across services, and let the service decide, if the incoming data makes sense, which it will then, either save to it's DB, or discard it. I'm pretty sure consistency won't be a problem at all, with all the retry mechanism available.
Hope this helps!