基于Symfony ACL角色的类和对象检查权限

i would like to create a system where i can check permission based on role of the user. I'm using Symfony ACL. I've granted class permission in acl, here's the code

public function addContractPermission()
{

    $adminBuilder = new MaskBuilder();
    $adminBuilder->add('view')
                 ->add('edit')
                 ->add('delete');

    $adminMask = $adminBuilder->get();

    $guestBuilder = new MaskBuilder();
    $guestBuilder->add('view');

    $guestMask = $guestBuilder->get();

    $aclProvider = $this->get('security.acl.provider');

    // Use class for object identity as below
    $oid = new ObjectIdentity('agreement', 'Company\\Entity\\Agreement');

    $acl = $aclProvider->createAcl($oid);

    $securityAdminIdentity = new RoleSecurityIdentity("ROLE_ADMIN");
    $securityGuestIdentity = new RoleSecurityIdentity("ROLE_GUEST");

    // grant owner access to users with above role
    $acl->insertClassAce($securityAdminIdentity, $adminMask);
    $acl->insertClassAce($securityGuestIdentity, $guestMask);

    $aclProvider->updateAcl($acl);

    return $this->render('FintelBundle:Security:addcontractsecurity.html.twig', array(
            'utente' => $this->getUser(),
            'message' => 'Added ROLE_ADMIN mask('.$adminMask.') e ROLE_GUEST mask('.$guestMask.')'
    ));
}

When i'm listing my "Agreement" i'm checking if current user can edit, in my twig file.

{% block content %}
<h3>Agreements</h3>
<ol>
{% for agreement in agreements %}
    <li>{{ agreement.description }} - Author: {{ agreement.user.username }} - 
{% if(is_granted('EDIT', agreement))  %}Edit{% endif %}</li>
{% endfor %}
</ol>
{% endblock %}

In this case i'm obtainig always false, even if my user has ROLE_ADMIN

If i change the twig (is_granted checks not the objet but the string) in

{% block content %}
<h3>Agreements</h3>
<ol>
{% for agreement in agreements %}
    <li>{{ agreement.description }} - Author: {{ agreement.user.username }} - 
{% if(is_granted('EDIT', 'agreement'))  %}Edit{% endif %}</li>
{% endfor %}
</ol>
{% endblock %}

It's always true even if my user is a simple ROLE_GUEST.

Where am i wrong?