As a work-around I added a policy that authorizes resource owners: if ($evaluation.getContext().getIdentity().getId() == $evaluation.getPermission().getResource().getOwner()) $evaluation.grant() and a permission that uses that policy.