We have recently added "tenancy" to the project.
With tenancy, every resource have a tenant, where resource can be a delivery-service, a server (future) and even a user.
We are now starting to enforce access-control based on the resource tenancy. A user can manage a resource only if the resource is under the user tenancy.
This JIRA deals with another step of "delivery-service as a resource" as well as "user as a resource" - enforcing via the API access control on DS to User: The logged in user should have access to both the DS as well as the user assigned to it.