Hello, in the photoz example you use a policy to check against the resource owner. $permission.resource != null && $permission.resource.owner.equals($identity.id) Is there a way to set the owner via the Admin REST API? I tried (see below) but this doesn't work ResourceOwnerRepresentation owner = new ResourceOwnerRepresentation(); resourceOwnerRepresentation.setName("Me")); ResourceRepresentation resource = new ResourceRepresentation(); resource.setName("Resource Me"); resource.setOwner(resourceOwnerRepresentation); resource.setUri("/cxf/api/v1/customers/Me/*); client.authorization().resources().create(resource); I didn't even find a way to set the owner via WebUI. But this isn't important for me. Mit freundlichen Grüßen / with best regards christian lutz / B. Sc. software engineering inovel elektronik gmbh inovel systeme AG gebhardstr. 7 88046 friedrichshafen phone +49 (0) 7541 39900-35 fax +49 (0) 7541 39900-99 mail christianlutz(a)inovel.de web www.inovel.de inovel elektronik gmbh general manager: axel dittus, robert steinhauser hrb 632191 amtsgericht ulm; VAT Reg. No.: DE811926597 inovel systeme AG board of management: markus spinnenhirn (chairman), axel dittus, robert steinhauser chairman of the supervisory board: joachim zodel registered office: friedrichshafen; hrb 728443 amtsgericht ulm; VAT Reg. No.: DE814611877 This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. inovel disclaims any and all liability if this email transmission was virus corrupted, altered or falsified.