Who makes the rules for digital signatures?
In reality the person accepting them. The security mechanism(s) used in any system are set by the person sending information. However, the recipient is the one who decides what to do (what to trust, what to believe). So regardless of what is claimed in a certificate, the recipient has to make their own decision as to what they are going to do. It doesn’t matter whether the decision is about access control or authorization. The recipient must consider all the information available to them (which may include information in a certificate) before taking action.