diff --git a/invenio_config_tuw/permissions/generators.py b/invenio_config_tuw/permissions/generators.py
index a5d89e641567c9ef129f17d2d378da4ae7b474eb..83df3b4e2a901d0a1a29d5499d26b3268117ecc3 100644
--- a/invenio_config_tuw/permissions/generators.py
+++ b/invenio_config_tuw/permissions/generators.py
@@ -9,10 +9,18 @@ from flask import current_app
 from flask_login import current_user
 from flask_principal import RoleNeed, UserNeed
 from invenio_access.permissions import any_user
-from invenio_rdm_records.services.generators import SecretLinks
+from invenio_rdm_records.services.generators import ConditionalGenerator, SecretLinks
 from invenio_records_permissions.generators import Generator
 
 
+class IfPublished(ConditionalGenerator):
+    """Allows record owners with the "trusted-publisher" role."""
+
+    def _condition(self, record=None, **kwargs):
+        """Check if the record has been published."""
+        return record is not None and record.is_published
+
+
 class DisableIf(Generator):
     """Denies ALL users including super users, if a condition is met."""
 
@@ -94,6 +102,14 @@ def TrustedPublisherRecordOwners(exclude=False):
     return RecordOwnersWithRole("trusted-publisher", exclude=exclude)
 
 
+def TrustedPublisherForNewButTrustedUserForEdits(exclude=False):
+    """Require "trusted-user" for edits, but "trusted-publisher" for new records."""
+    return IfPublished(
+        then_=[TrustedRecordOwners(exclude=False)],
+        else_=[TrustedPublisherRecordOwners(exclude=False)],
+    )
+
+
 secret_links = {
     "edit": [SecretLinks("edit")],
     "view": [SecretLinks("edit"), SecretLinks("view")],
diff --git a/invenio_config_tuw/permissions/policies.py b/invenio_config_tuw/permissions/policies.py
index 429f8236edf2dbafc501b6ad34e875ad182cc868..8dde1720e5081bf83e1ca29b14ed27df4d0e3bb9 100644
--- a/invenio_config_tuw/permissions/policies.py
+++ b/invenio_config_tuw/permissions/policies.py
@@ -26,7 +26,7 @@ from invenio_requests.services.permissions import (
 
 from .generators import (
     DisableIfReadOnly,
-    TrustedPublisherRecordOwners,
+    TrustedPublisherForNewButTrustedUserForEdits,
     TrustedRecordOwners,
     TrustedUsers,
     secret_links,
@@ -101,7 +101,7 @@ class TUWRecordPermissionPolicy(RDMRecordPermissionPolicy):
     can_delete_draft       = can_curate + [DisableIfReadOnly()]                                                         # noqa
     can_new_version        = can_curate + [DisableIfReadOnly()]                                                         # noqa
     can_lift_embargo       = can_manage + [DisableIfReadOnly()]                                                         # noqa
-    can_publish            = can_basics + [TrustedPublisherRecordOwners(), DisableIfReadOnly()]                         # noqa
+    can_publish            = can_basics + [TrustedPublisherForNewButTrustedUserForEdits(), DisableIfReadOnly()]         # noqa
 
     # disabled (record management in InvenioRDM goes through drafts)
     can_update             = [Disable()]                                                                                # noqa