Data processing is liable to civil and criminal law just as many other human activities of a civilized world. Thus in particular for data objects in a data processing environment, ownership and author or originator rights apply as to other objects in the real world. Accordingly, basic requirements for an access control system in a data processing environment must be based on these rights. This article derives and discusses most general originator rights based requirements for access control systems. Furthermore, we particularize and refine these requirements for data processing systems from large commercial organizations, which are outstanding with very many users and data objects to be managed, with an interference between individual and organizational rights, and with clearly identifiable tasks to be processed successfully. We argue that legal requirements to these access control systems are in particular met by usage conditions, describe this concept and give some examples for concrete implementation of corresponding access control systems.