diff --git a/src/main/java/org/caosdb/server/permissions/EntityACI.java b/src/main/java/org/caosdb/server/permissions/EntityACI.java
index ccc889decafc941484432c99bf48908c21dff209..34d713eb69179cf7e88103cca2dd901077ffc092 100644
--- a/src/main/java/org/caosdb/server/permissions/EntityACI.java
+++ b/src/main/java/org/caosdb/server/permissions/EntityACI.java
@@ -1,9 +1,10 @@
 /*
- * ** header v3.0
  * This file is a part of the CaosDB Project.
  *
  * Copyright (C) 2018 Research Group Biomedical Physics,
  * Max-Planck-Institute for Dynamics and Self-Organization Göttingen
+ * Copyright (C) 2021 IndiScale GmbH <info@indiscale.com>
+ * Copyright (C) 2021 Timm Fitschen <t.fitschen@indiscale.com>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -18,11 +19,12 @@
  * You should have received a copy of the GNU Affero General Public License
  * along with this program. If not, see <https://www.gnu.org/licenses/>.
  *
- * ** end header
  */
+
 package org.caosdb.server.permissions;
 
 import java.util.HashMap;
+import java.util.Set;
 
 public final class EntityACI {
 
@@ -72,4 +74,16 @@ public final class EntityACI {
     map.put("bitSet", getBitSet());
     return map;
   }
+
+  public boolean isGrant() {
+    return EntityACL.isAllowance(bitSet);
+  }
+
+  public boolean isPriority() {
+    return EntityACL.isPriorityBitSet(bitSet);
+  }
+
+  public Set<EntityPermission> getPermission() {
+    return EntityACL.getPermissionsFromBitSet(bitSet);
+  }
 }
diff --git a/src/main/java/org/caosdb/server/permissions/EntityACL.java b/src/main/java/org/caosdb/server/permissions/EntityACL.java
index cfa436d59ae25971a08d4314a7f668a70cf75bbf..ce76cf5283847ad0e17886daa80b06548541c030 100644
--- a/src/main/java/org/caosdb/server/permissions/EntityACL.java
+++ b/src/main/java/org/caosdb/server/permissions/EntityACL.java
@@ -191,7 +191,9 @@ public class EntityACL {
   public static final List<ResponsibleAgent> getOwners(final Collection<EntityACI> acl) {
     final List<ResponsibleAgent> owners = new ArrayList<>();
     for (final EntityACI aci : acl) {
-      if (isOwnerBitSet(aci.getBitSet()) && !aci.getResponsibleAgent().equals(OWNER_ROLE)) {
+      if (aci.isGrant()
+          && isOwnerBitSet(aci.getBitSet())
+          && !aci.getResponsibleAgent().equals(OWNER_ROLE)) {
         owners.add(aci.getResponsibleAgent());
       }
     }
diff --git a/src/test/java/org/caosdb/server/permissions/EntityACLTest.java b/src/test/java/org/caosdb/server/permissions/EntityACLTest.java
index 1787c902f48124d692f8c53e4a73ed04564dfe8f..28b4322333f771a3480e4d386b7e77fb2977590b 100644
--- a/src/test/java/org/caosdb/server/permissions/EntityACLTest.java
+++ b/src/test/java/org/caosdb/server/permissions/EntityACLTest.java
@@ -23,6 +23,7 @@
 package org.caosdb.server.permissions;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
@@ -30,6 +31,7 @@ import java.io.IOException;
 import java.util.BitSet;
 import java.util.HashSet;
 import java.util.LinkedList;
+import java.util.Set;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.subject.Subject;
 import org.caosdb.server.CaosDBServer;
@@ -395,4 +397,37 @@ public class EntityACLTest {
       assertTrue(EntityACL.isPriorityBitSet(aci.getBitSet()));
     }
   }
+
+  @Test
+  public void testOwnership() {
+    EntityACLFactory f = new EntityACLFactory();
+    f.grant(
+        org.caosdb.server.permissions.Role.create("the_owner"), false, EntityPermission.EDIT_ACL);
+    f.deny(
+        org.caosdb.server.permissions.Role.create("someone_else"),
+        false,
+        EntityPermission.EDIT_ACL);
+    EntityACL acl = f.create();
+    assertEquals(1, acl.getOwners().size());
+    assertEquals("the_owner", acl.getOwners().get(0).toString());
+  }
+
+  @Test
+  public void testPermissionsFor() {
+    EntityACLFactory f = new EntityACLFactory();
+    f.deny(org.caosdb.server.permissions.Role.ANONYMOUS_ROLE, false, EntityPermission.EDIT_ACL);
+    f.grant(org.caosdb.server.permissions.Role.OWNER_ROLE, false, "*");
+    EntityACL acl = f.create();
+
+    Subject anonymous = SecurityUtils.getSubject();
+    anonymous.login(AnonymousAuthenticationToken.getInstance());
+    assertTrue(AuthenticationUtils.isAnonymous(anonymous));
+
+    assertNotNull(acl);
+    assertTrue(acl.getOwners().isEmpty());
+    final Set<EntityPermission> permissionsFor =
+        EntityACL.getPermissionsFor(anonymous, acl.getRules());
+
+    assertFalse(permissionsFor.contains(EntityPermission.RETRIEVE_ENTITY));
+  }
 }