and it sounds like you'd need for the

policy

to carry the permissions but the relation between the user and the object to say "which thing"