User Permission on foreign entries

Have a look here:

Alternatively to the context rules, you can use the collections.find.before event to adjust the filter to search only for entries with _by => $user['_id'].