Both. Usually the service has a table of "shares" and the owner(s) attached to the actual row. Thus determining if a user has a right to do something looks like this:
select 1 from kites k
join shares s on (s.model = 'kites' and :operation in s.rights)
where :user in k.owner or s.user = :user
