I have Region and School domain model both extends \TYPO3\Party\Domain\Model\AbstractParty. School and Region have ManyToOne relation. I want SchoolManager be able to have access to his own School after login and RegionManager can manage all schools in his region.
I have below Policy Entry:
roles: SchoolManager:  RegionManager: ['SchoolManager'] resources: entities: 'Hwwcn\Sponsor\Domain\Model\School': Hwwcn_Sponsor_Schools_All: 'ANY' Hwwcn_Sponsor_Schools_Own: 'this.name != NULL && this.acccounts contains current.securityContext.account || this.region == current.securityContext.party' Hwwcn_Sponsor_Schools_Other: 'this.name != NULL &&! this.accounts contains current.securityContext.account || this.region != current.securityContext.party' acls: SchoolManager: entities: Hwwcn_Sponsor_Schools_All: GRANT Hwwcn_Sponsor_Schools_Own: GRANT Hwwcn_Sponsor_Schools_Other: DENY
These configuration makes SchoolRepository fetches zero schools for both SchoolManager and Region Manager.