There should be a notion of user rights management and access restrictions.

This information should be stored in DB table with following fields: two entities, and kind of operation allowed (such as view, edit, delete, comment, tag/untag, etc).

I think it can be enough for MM1 to allow only single users as rule subject, but we definitely will face design problems in future. It may be useful to have a notion of entity owner, blog editors or even custom groups.

The problem with rule objects is that they can be entities of all different kinds: blogs, articles, comments, tags. Moreover, it's mandatory that groups of entities can be controlled by single rule, such as articles denoted by specific tag.

Storing all entities in their textual representation, such as "blog:alapos", "user:baldvin", "article:tag:politics" is the most straightforward way, but we should consider performance issues, since almost every operation would involve access check.