diff --git a/packages/strapi-admin/services/permission/engine.js b/packages/strapi-admin/services/permission/engine.js
index 4fe4eee082..2d975f3bd9 100644
--- a/packages/strapi-admin/services/permission/engine.js
+++ b/packages/strapi-admin/services/permission/engine.js
@@ -2,7 +2,7 @@
 
 const _ = require('lodash');
 const { map, filter, each } = require('lodash/fp');
-const { defineAbility } = require('@casl/ability');
+const { AbilityBuilder, Ability } = require('@casl/ability');
 
 module.exports = conditionProvider => ({
   /**
@@ -24,14 +24,16 @@ module.exports = conditionProvider => ({
    * @returns {function(*, *): Promise<Ability>}
    */
   generateAbilityCreatorFor(user) {
-    return async (permissions, options) =>
-      defineAbility(async can => {
-        const registerFn = this.createRegisterFunction(can);
+    return async (permissions, options) => {
+      const { can, build } = new AbilityBuilder(Ability);
+      const registerFn = this.createRegisterFunction(can);
 
-        for (const permission of permissions) {
-          await this.evaluatePermission({ permission, user, options, registerFn });
-        }
-      });
+      for (const permission of permissions) {
+        await this.evaluatePermission({ permission, user, options, registerFn });
+      }
+
+      return build();
+    };
   },
 
   /**
diff --git a/packages/strapi-plugin-content-manager/controllers/ContentManager.js b/packages/strapi-plugin-content-manager/controllers/ContentManager.js
index 97e1512ddb..3543d25b4c 100644
--- a/packages/strapi-plugin-content-manager/controllers/ContentManager.js
+++ b/packages/strapi-plugin-content-manager/controllers/ContentManager.js
@@ -159,7 +159,7 @@ module.exports = {
       throw strapi.errors.forbidden();
     }
 
-    const sanitize = e => pm.sanitize(e, { subject: ACTIONS.create });
+    const sanitize = e => pm.sanitize(e, { subject: model });
 
     const userId = user.id;
     const { data, files } = ctx.is('multipart') ? parseMultipartBody(ctx) : { data: body };