The access control problem in computer security is fundamentally concerned with the ability of system entities to see, make use of, or alter various system resources. We provide a mathematical framework for modelling and reasoning about (distributed) systems with access control. This is based on a calculus of resources and processes together with a Hennessy–Milner-style modal logic, based on the connectives of bunched logic, for which an appropriate correspondence theorem obtains. As a consequence we get a consistent account of both operational behaviour and logical reasoning for systems with access control features. In particular, we are able to introduce a process combinator that describes, as a form of concurrent composition, the action of one agent in the role of another, and provide a logical characterization of this operator via a modality ‘says'. We give a range of examples, including analyses of co-signing, roles, and chains of trust, which illustrates the utility of our mathematical framework.