For the type based approach, I use Type-level access control. That solution works, with the drawback noted above.
For the creator based approach, I use Source-level access control, which references the user. If user id could be used to control access in Pawtucket, in addition to the access field, that would do it. No idea if this involves extensive or spot modifications.
Thanks,
Etienne