Abstract: Meta access-control, also called access administration, ensures that users do not make unauthorized access definitions. Such control in a collaborative system must support fine-grained protection, a flexible scheme for assigning access administrators, joint ownership of shared objects, multiple ownership semantics of varying complexity, delegation of access rights, and both shallow and deep revocation. It should also be easy to implement in a variety of applications, easy to use by users of varying sophistication with different protection needs, and offer a small set of features that can be incrementally learned. We have designed a new model to meet these requirements and implemented and used it in a generic, extensible collaborative system. We have also developed techniques for simulating a large variety of existing policies for meta access-control. In particular, we have developed an implementation-independent technique of indirect roles to support flexible de legation and revocation. In this paper, we identify requirements of meta access control, describe our model together with the techniques for using it, compare it with related work, give our experience with it, and evaluate how well it meets the requirements.