diff --git a/pkg/accesscontrol/access_store.go b/pkg/accesscontrol/access_store.go
index fa9de0d6..f71bcebf 100644
--- a/pkg/accesscontrol/access_store.go
+++ b/pkg/accesscontrol/access_store.go
@@ -5,6 +5,10 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 )
 
+type AccessSetLookup interface {
+	AccessFor(user user.Info) *AccessSet
+}
+
 type AccessStore struct {
 	users  *policyRuleIndex
 	groups *policyRuleIndex
diff --git a/pkg/schema/collection.go b/pkg/schema/collection.go
index 57a53505..a5cbb21e 100644
--- a/pkg/schema/collection.go
+++ b/pkg/schema/collection.go
@@ -29,7 +29,7 @@ type Collection struct {
 	byGVR      map[schema.GroupVersionResource]string
 	byGVK      map[schema.GroupVersionKind]string
 
-	as *accesscontrol.AccessStore
+	as accesscontrol.AccessSetLookup
 }
 
 type Template struct {
@@ -46,7 +46,7 @@ type Template struct {
 	ComputedColumns func(data.Object)
 }
 
-func NewCollection(baseSchema *types.APISchemas, access *accesscontrol.AccessStore) *Collection {
+func NewCollection(baseSchema *types.APISchemas, access accesscontrol.AccessSetLookup) *Collection {
 	return &Collection{
 		baseSchema: baseSchema,
 		schemas:    map[string]*types.APISchema{},
diff --git a/pkg/server/config.go b/pkg/server/config.go
index 96181e4f..666bf1a0 100644
--- a/pkg/server/config.go
+++ b/pkg/server/config.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/rancher/steve/pkg/accesscontrol"
 	"github.com/rancher/steve/pkg/auth"
 	"github.com/rancher/steve/pkg/schema"
 	"github.com/rancher/steve/pkg/schemaserver/types"
@@ -30,6 +31,7 @@ type Server struct {
 
 	Namespace       string
 	BaseSchemas     *types.APISchemas
+	AccessSetLookup accesscontrol.AccessSetLookup
 	SchemaTemplates []schema.Template
 	AuthMiddleware  auth.Middleware
 	Next            http.Handler
diff --git a/pkg/server/server.go b/pkg/server/server.go
index 3f7abf13..2b7b8521 100644
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -61,7 +61,12 @@ func setup(ctx context.Context, server *Server) (http.Handler, *schema.Collectio
 	server.BaseSchemas = resources.DefaultSchemas(server.BaseSchemas, server.K8s.Discovery(), ccache)
 	server.SchemaTemplates = append(server.SchemaTemplates, resources.DefaultSchemaTemplates(cf)...)
 
-	sf := schema.NewCollection(server.BaseSchemas, accesscontrol.NewAccessStore(server.RBAC))
+	asl := server.AccessSetLookup
+	if asl == nil {
+		asl = accesscontrol.NewAccessStore(server.RBAC)
+	}
+
+	sf := schema.NewCollection(server.BaseSchemas, asl)
 	sync := schemacontroller.Register(ctx,
 		server.K8s.Discovery(),
 		server.CRD.CustomResourceDefinition(),