BACK TO DIRECTIVES
Directive 74

Identity Never Determines Permissions

Directive 74: Identity Never Determines Permissions

Permissions define what actions are allowed. When identity, reputation, or perceived trust determines access, systems lose control boundaries and security erodes.

This directive requires permissions to be rule‑based, not identity‑based.

The Core Principle

Access must be explicit.

Permissions should be granted by defined roles, scopes, and rules. Identity describes a person; it does not authorize action.

A disciplined system separates identity from access.

Why This Fails for Most People

Most people conflate trust with permission.

Common failures include:

  • Granting access based on reputation
  • Allowing informal privilege escalation
  • Bypassing role checks for familiarity
  • Letting seniority override access controls

Implicit access creates hidden risk.

The Gyōji Directive

Grant permissions through rules and roles only.

If access is granted because of identity, the system is invalid.

Implementation Protocol

  1. Define roles and permission scopes explicitly.
  2. Enforce access checks mechanically.
  3. Prohibit identity-based exceptions.
  4. Audit permissions regularly.
  5. Revoke excess access promptly.

Permissions must be deliberate.

Common Errors

  • Confusing trust with authorization
  • Allowing ad hoc access
  • Delaying revocation to avoid discomfort
  • Treating experience as entitlement

Enforcement Rule

If identity determines permission, the system is invalid.

Final Order

Authorize by rule. Ignore reputation.

Subscribe to the Protocol