-Each API transaction (read, write, create, etc.) is done on behalf of a person.
-
-* An end user, via a web app
-* The owner of an installed app
-
-A user (person) is permitted to act on an object if there is a path (series of permission Links) from the acting user to the object in which
-
-* Every intervening object is a Group or a User, and
-* Every intervening permission Link allows the current action
-
-Each object has exactly one _owner_, which can be either a User or a Group.
-
-* If the owner of X is A, then A is permitted to do any action on X.
-
-h3. Tokens
-
-An authorization token is issued at a user's request, and supplied to an API client using some suitable mechanism (_e.g._, cookie or application config file for a web app; environment variable or .rc-file for a CLI app).
-
-A user can have multiple valid tokens at a given time. At the user's option, a token can be restricted to a combination of
-
-* API client program
-* time interval
-* transaction type
-
-h3. System pseudo-user
-
-A privileged user account exists for the use of built-in Arvados system components. This user manages system-wide shared objects which can't really be "owned" by any particular user, like
-
-* Jobs and job steps (because a given job can be "wanted" by multiple users)
-* Provenance metadata (because no user should be able to modify this directly)
-* Storage metadata like
-** redundancy verified as N× at time Y
-** contents of collections A and B are identical
-
-The system pseudo-user's uuid is @{siteprefix}-tpzed-000000000000000@.
-
-h2. Example scenarios
-
-h3. 1. Private objects
-
-Alfred stores 3 data Collections in Keep and adds them to a new Group.
-
-The Collections and the Group can only be seen by Alfred, administrators, and the system user.
-
-The data in the Collections can only be retrieved by Alfred, administrators, and the system user.
-
-h3. 2. Public objects
-
-George creates a "PGP public data" Group, and grants "read" permission to all users.
-
-* ...by adding a Link: "All users" Group _can_read_→ "PGP public data" Group
-
-George stores 4 data Collections in Keep and adds them to the "PGP public data" Group
+* All Arvados objects have an @owner_uuid@ field. Valid uuid types for @owner_uuid@ are "User" and "Group".
+* The User or Group specified by @owner_uuid@ has *can_manage* permission on the object.
+** This permission is one way: A User or Group's @owner_uuid@ being equal to @X@ does not imply any permission for that User/Group to read, write, or manage an object whose @uuid@ is equal to @X@.
+* Applications should represent each object as belonging to, or being "inside", the Group/User referenced by its @owner_uuid@.
+** A "project" is a subtype of Group that is treated as a "Project" in Workbench, and as a directory by @arv-mount@.
+** A "role" is a subtype of Group that is treated in Workbench as a group of users who have permissions in common (typically an organizational group).
+* To change the @owner_uuid@ field, it is necessary to have @can_write@ permission on both the current owner and the new owner.