Cancan gem help .. as I Can..not ;-)

I'll be grateful to any cancan guru to give me some advice on how to
formulate the abilities in a structure with associations ...

I have the following tree association :

Subdomain (has_one) > Portfolio (has_many) > Projects (has_many) >
Payments
Subdomain (has_many) > Users (w roles)

I want a 'user' with role 'owner' to be able to manage all model
instances in the hierarchy ONLY within his subdomain

I wrote ( need to understand if it's fine ... or if there is a better
way... I know CanCan 2.0 is coming but..)

class Ability
  include CanCan::Ability
  def initialize(user)
   user ||= User.new

      subdomain = user.subdomain
      can :manage, Portfolio, :subdomain_id => subdomain[:id]
      can :create, Project
      can :modify, Project, :portfolio => {:subdomain_id =>
subdomain[:id]}
      can :create, Payment
      can :modify, Payment, :project => {:portfolio => {:subdomain_id
=> subdomain[:id]} }

Why is it not possible to check the subdomain on 'create' when
resources are not nested ? I tried
can :create, Project, :portfolio => {:subdomain_id => subdomain[:id]}
but then it raises a CanCan::AccessDenied error on form submit..

thanks for your feedback