...
Here the user signs the Tier 1 agreement upon account creation. (Omitted are the steps in which the client retrieves the schema and the current ACL to determine that the user doesn't have the necessary permissions.)
Tier 2 Approval Process
This approval requires two hurdles, the Tier 1 agreement plus a new agreement which may be specific to the requested layer. Upon approval Synapse adds the User to the Access Control List for the Layer. 
How do you revoke approval?
1) remove the <User, Role> Permission> from the layer's ACL (or the <Group, Role> if all the users were added to a group).
2) delete the approvalProcess and accessRequirements objectspermission requirement from the entity.
Tier 3 Approval Process
Here we have the added complexity of an external ACT. An "ACT daemon" is added to send approval requests to the ACTand to listen for replies. The interaction with the user is asynchronous: While waiting for approval the user may do other things (though not access the requested layer). Finally she receives an email saying the request was approved.
...