We consider an IoT system where IoT devices are ubiquitous, distributed all over the environment. When some situation arises dynamically, the IoT services may collaborate to cope with the situation in a timely manner. During such collaboration, the collaborating IoT devices may have to access each other in order to accomplish the task. The accesses could involve the information and/or the control. To avoid causing security and privacy problems, sharing requires proper access control. Since there exists no preestablished security domain and the collaborating entities could belong to any owners, such as individuals, companies, organizations, and government agencies, the access control task in such open environment can be challenging. In this paper, we first survey existing access control models and analyze their suitability for such open IoT systems. Then, we propose a new model, Role-InverseView (RIV), for access control in open systems. In conventional role-based access control (RBAC) models, roles are defined by the security officers of an organization and are for subjects internal to the organization. In an open system, there is no predefined set of subjects and accessors could be anyone in the world. In RIV, we consider an inverse view of RBAC. Specifically, the owner of the resources defines its own version of roles and role hierarchy based its own view of the world of subjects who may access its IoT data and services. Permissions can then be defined on these owner defined roles. However, how to map the accessors to these RIV roles is an issue. We propose to mine the accessor information from the Internet and determine the role assignment accordingly. An infrastructure design is also presented to achieve efficient role mining and access validation.