...
This approval requires two hurdles, the Tier 1 agreement plus a new agreement which may be specific to the requested layer.
How do you revoke approval?
1) remove the <User, Permission> from the layer's ACL.
2) delete the permission requirement from the entity.
...
Here we have the added complexity of an external ACT. An " ACT daemon" is added to send approval requests to the ACTand to listen for replies. The interaction with the user is asynchronous: While waiting for approval the user may do other things (though not access the requested layer). Finally she receives an email saying the request was approved.
