An ownable node defines an owner identity. The owner has always full privileges. These privileges are independent of the permissions set by exo:permissions. At JCR level, the ownership is implemented by an exo:owneable mixin. This mixin holds an owner property.

<nodeType name="exo:owneable" isMixin="true" hasOrderableChildNodes="false" primaryItemName="">

   <propertyDefinitions>

      <propertyDefinition name="exo:owner" requiredType="String" autoCreated="true" mandatory="true" onParentVersion="COPY"

                          protected="true" multiple="false">

         <valueConstraints/>

      </propertyDefinition>        

   </propertyDefinitions>

</nodeType>

The exo:owner property value contains exactly one identity string value. There might be a long list of different permissions for different identities (user or groups). All permissions are always positive permissions; denials are not possible. When checking a permission of an action, it's therefore perfectly sufficient that the principal of a session belongs to the groups to which the concerned action is granted.