Forum OpenACS Q&A: Xowiki permissions policy for application mash-up using Xowiki

My specific goal is as follows:

I will have a "record card" for each object (let us say library books for example). The record card will hold verified factual information about the books in several fields. These fields will all have the same permissions and will be managed by a team of admins, readable by all users. (Standard ::xowiki::FormPage so far).

However, I also want to allow users to add 'personal notes' to the book's record, so that when viewing the book's record each user can also see their own personal notes (but only their own personal notes) as if this were an additional field in the formpage with different permissions set.

I thought perhaps I could use a separate xowiki instance for the personal notes, with a different security policy set. I would then use an inter-instance include to diplay the personal notes in the formpage template for the relevant book:

{{en:my_book__note__party_id}}

What is the best way to achieve this using xowiki?

I have studied the code for security policies 1-5 but am not entirely clear on the detail. Am I correct in thinking that policy5 will restrict all actions to the user owning the object?

The problems I can see I have to solve are:

i) notes must appear when present for the logged-in user but not throw an error if absent.

ii) each object could have a notes page for every user. I have to solve the naming problem (perhaps object+party_id).

iii) each user must only be able to see their own personal notes for the object.

I would really appreciate some ideas on the best way to tackle this as I'd like to get it right on the first iteration if possible.

Many thanks,
Richard