Currently it is possible to define "owner = self" restriction, like this:
but (1) it works only for ShadowType, and (2) it does not work for searches.
The idea is to provide this for other objects (e.g. roles, orgs, certification campaigns), and do it in such a way that it would work for all operations, including searches.
Use case: a role that gives its holders the right to see campaigns he/she owns.
See also TestSecurity.test250AutzJackSelfAccountsRead.