The system itself is the first entity and the system administrator is the first actor. Initially, the administrator has all rights to the system and anything in it, so in social terms is the dictator of the domain. Access control then begins with one actor and one object and develops from there as content is added and other actors are invited to participate. While traditional access control lets an administrator arbitrarily set any right, like an all-powerful tyrant, legitimate access control enables the benevolent dictatorship proposed by Plato. Yet it is still a software dictatorship, as even Wikipedia is a benevolent dictatorship not a democracy. For a system like the Internet that was created by many people the rules are more complex as it is “owned” by all the people who made it. This chapter covers rights for an application, not the Internet as a whole.
The access control system mediates all rights to the system. For any system that involves actors, the access control software defines what those actors are allowed to do. Since we have concluded that software has no self to act socially, it must allocate all system rights to actors that represent people. If an access control system were to itself allocate rights, it would have to respond to an access request from itself which is circular. This gives the first access control rule:
Rule 1. All rights to access control entities must be allocated to actors at all times.
All entity rights must be allocated to an actor, so when a new post say is added, all rights to it must be defined immediately, although later they can be re-allocated. When a person posts a comment on a bulletin board, the access control system must know right away who can edit and delete it. It is not possible to leave rights undefined, as that would require the access control software to make decisions about a right should it be invoked.
Corollary: The system administrator initially has all rights to the system.
In a single owner system, the administrator has all rights to it. For example, the administrator of a smartphone is its owner, who can uninstall any app. So when the owner installs an app, the software needs their permission to do things like download updates to itself. Current apps deny this right by taking opt-in privileges, which puts the onus on the owner say to turn off downloading updates for every app while roaming to avoid a massive bill. An access control system that applies Rule 1 turns this around, putting the onus on the app to ask permission before the first update download. The phone owner could then set it happen automatically, or turn off updating for apps they never use at all.
In an online community, the administrator allocates rights to others. To develop a community, the administrator must delegate rights to others in the system. Doing this legitimately makes them a leader not a tyrant, e.g. to censor a photo in a collection delegated to another actor, the administrator cant just delete it. The access control system requires them to first take back ownership of the collection before letting them reject the photo in it. To then put things back as they were, they have to offer ownership of the photo collection back to its original owner, who may choose not to accept it, as they may be offended at being overruled. Legitimate access control lets an administrator unravel a social structure to do what they want, but not force others to do their bidding, as will be seen.