diff --git a/access-control.md b/access-control.md
new file mode 100644
index 0000000..17677c4
--- /dev/null
+++ b/access-control.md
@@ -0,0 +1,10 @@
+Every [[cons space]] object has an access control list.
+
+The possible values of that list (and its interpretation) are
+
+* NIL : only system-privileged functions can access the object ('system private');
+* TRUE : every user can access the object;
+* A list : in which case it's equivalent to 
+    (member? current-user (flatten acl))
+
+The reason for using *(flatten acl)* is that groups of users may be added to access control lists as sublists, recursively. Note that if the sublist of the access control list which contains the current user is not readable by the current user, then the object will not be readable by the current user.
\ No newline at end of file