On a particular object, how can I allow - ‘update’ only by ‘owner’ of that object - but only through ‘server code’ and not directly from app ?
If i understood the permissions model well - then if owner is allowed in ‘owner policy’ - then the ‘system roles’ permissions for that table/object won’t matter.
You are wright. Owner permissions has higher priority than ServerCodeUser role permissions. As work around you can allow update code for ServerCodeUser. Than in BL code you can in beforeUpdate event handler you can check ownerId property and if it equals to current user id( which you can get from context ) than you update it, if not throw some exception.