ap2i/config/api_platform/Access/access.yaml

resources:
  App\Entity\Access\Access:
    - operations:
        ApiPlatform\Metadata\GetCollection: ~

        ApiPlatform\Metadata\Get:
          security: '(is_granted("ROLE_USERS_VIEW") and object.getOrganization().getId() == user.getOrganization().getId()) or (object.getId() == user.getId())'

        ApiPlatform\Metadata\Put:
          security: 'is_granted("ROLE_USERS") or (object.getId() == user.getId())'

        ApiPlatform\Metadata\Delete: ~

    - operations:
        ApiPlatform\Metadata\GetCollection:
          name: 'cget_students'
          uriTemplate: '/students'
          security: 'is_granted("ROLE_USERS_VIEW")'

    - operations:
        ApiPlatform\Metadata\GetCollection:
          name: 'cget_access_person_ref'
          uriTemplate: '/access_people'
          normalization_context:
            groups: [ 'access_people_ref' ]

    - operations:
        ApiPlatform\Metadata\Get:
          name: 'get_access_address'
          uriTemplate: '/access_addresses/{id}'
          requirements:
            id: '\d+'
          normalization_context:
            groups: [ 'access_address', 'address' ] ]
          security: 'object.getOrganization().getId() == user.getOrganization().getId()'