diff --git a/doc/06-Security.md b/doc/06-Security.md
index a207d5209..e0848f405 100644
--- a/doc/06-Security.md
+++ b/doc/06-Security.md
@@ -214,6 +214,16 @@ results of this query instead:
          |
          +--- service_handled = 0
 
+#### Username placeholder <a id="username-placeholder"></a>
+
+The string `$user:local_name$` is replaced by the local username (without the domain part) of the logged on user while evaluating restrictions.
+This can come in handy if you have some kind of attribute on host or service level defining which user is responsible for a certain host or service.
+
+**Example**
+
+```
+monitoring/filter/objects = (_responsible=$user:local_name$|_deputy=$user:local_name$)
+```
 
 #### Stacking Filters <a id="stacking-filters"></a>
 
diff --git a/library/Icinga/User.php b/library/Icinga/User.php
index c96bace1c..0d237831d 100644
--- a/library/Icinga/User.php
+++ b/library/Icinga/User.php
@@ -252,6 +252,10 @@ class User
      */
     public function setRestrictions(array $restrictions)
     {
+        foreach ($restrictions as $name => $restriction) {
+            $restrictions[$name] = str_replace('$user:local_name$', $this->getLocalUsername(), $restriction);
+        }
+
         $this->restrictions = $restrictions;
         return $this;
     }