BACK TO DIRECTIVES
Directive 64

Identity Never Determines Permissions

Permissions define what actions are allowed. When identity or perceived trust determines access, systems lose control boundaries and security erodes.

This directive requires permissions to be rule-based, not identity-based.

The Core Principle

Access must be explicit.

Permissions should be granted by defined roles, scopes, and rules. Identity describes a person; it does not authorize action.

A disciplined system separates identity from access.

Why This Fails for Most People

Most people conflate trust with permission.

They grant access based on reputation. They allow informal privilege escalation. They bypass role checks for familiarity. They let seniority override access controls.

Implicit access creates hidden risk.

The Gyōji Directive

Grant permissions through rules and roles only.

If access is granted because of identity, the system is invalid.

Implementation Protocol

  1. Define roles and permission scopes explicitly.
  2. Enforce access checks mechanically.
  3. Prohibit identity-based exceptions.
  4. Audit permissions regularly.
  5. Revoke excess access promptly.

Permissions must be deliberate.

Common Errors

  • Confusing trust with authorization.
  • Allowing ad hoc access.
  • Delaying revocation to avoid discomfort.
  • Treating experience as entitlement.

Enforcement Rule

If identity determines permission, the system is invalid.

Final Order

Authorize by rule. Ignore reputation.

Subscribe to the Protocol