I think applications that allow you to restrict access to some resource are generally missing something. What they're missing is a way for people who don't have access to ask for it. You can't read that file? Send email. Can't subscribe to that list? Send email. Can't book that conference room? Send email.

Email itself isn't the problem. But by forcing users to go out-of-band to request permissions, we at least double the person-time required to grant a new permission. The software, in rejecting a person's request, already knows the user, desired resource, and what permissions are requested. In an email, the user will say "I need to be able to reserve conference room X on Monday afternoon." The recipient needs to then translate that into the permissions system of the application. First, you must map a user's email-sending identity to her application-using identity; many apps have their own user database which you'll have to search by last name. Second, you need to look up the record for conference room X. Finally, you need to decide which permissions to add. Is the user allowed to book conferences already, but just needs to be added to a special list for room X? Is she allowed to book room X, just not on Mondays? Depending on the application's permissions model, there could be a lot of different options here.

The last step, choosing the specific permissions to grant, is the only part of this that requires input from the application administrator. So the ideal approach would allow the administrator to grant a permissioning request without entering any other data.

So, emails are right out.

The user who desires permission should request permissions through the application. Any "you can't do that" messages should be accompanied by a "request permission to do that" button.

Pressing that button should notify the administrator of the request. Rather than translating an email into applicationese, he should be able to choose from the available permissioning options (or denial) right in the notification.