I think I might have guessed right regarding an access policy. How much "customization" does each resource need regarding its access? I would assume not much, and that they all typically pick from a small handful of possibilities.
If so then you have access policies, a resource uses an access policy, every user has something to consume policies in a similar design, then you manage access through those secondary objects.
user <-> permission policy <-> access policy <-> resource
The principle here is that a resource does not try to decide how and where it can be used - it has a policy which manages that. And a user doesn't decide how and what it can use - it has permissions that decide.
Consider a roller coaster ride. They'll have a sign saying "you must be this tall to ride" and a person who enforces that; the roller coaster is the resource and the sign is the access policy. When someone wants to ride, they present themselves; they are a user and their permissions are their physical appearance (ie. height). The person who enforces the height requirement would then be the code used to implement the system - someone who understands the access policy, the permissions, and how to evaluate the two together.