How to deal with resource control in RBAC?

At usebubbles.com we’re looking into integrating Auth0.

So far we’ve identified that we’ll need to create roles (e.g. TeamAdmin, TeamMember, etc.) and permission (e.g. CreateComment, DeleteComment). What’s missing for us is how to perform authorization based on whether the user actually has access to the requested resource.

If user A owns resource X and has role TeamMember, they may be able to delete resource X given that the TeamMember role has the DeleteComment permission. But what if resource X is owned by user B, and not by user A? How do we ensure that user A cannot delete user B’s resources, and how does this relate to RBAC? How would one implement this with Auth0?

Similarly, what if we cannot simply assume that users can only access their own resources, but that for example a TeamAdmin may delete all resources within a given team, while TeamMembers may only delete their own resources? How would one implement this and where is this documented in the Auth0 documentation?

From reading up at permissions - How to design an Access Control system that is quick to implement and understand, yet maintainable and flexible enough? - Information Security Stack Exchange it seems like ABAC would be preferable to RBAC. How would one implement ABAC and write dynamic policies with auth0?

Alternatively, we could inflate the number of permissions and make them access aware, e.g. instead of having a permission “DeleteComment”, we’d have “DeleteOwnerComment” and “DeleteTeamComment”. But doesn’t that go against RBAC standards? Which method is recommended?