I'd assume that your application business domain would expose the parent entity anyway as part of the child creation, so you need to know that entity ID anyway. E.g. you definitely need to know the GitHub user or organization that will be the "owner" of a repo. You cannot create a repo without them. So from a semantics point of view, it makes sense to me that you are checking "permission to create child in the parent". If the parent is not really applicable here, another strategy is to define a "singleton parent". For example you could have a "root" object definition, and your application code would hardcode that resource ID in the corresponding PermissionCheck call. e.g "root:root"