I have a permission requirement on objects that only owners or Admin role users can update. I am ok with the Role part, using hasRole('admin'). But I am not sure how to write ownership checking into a generic rule. Anyone has solved a similar problem? Thanks.