In the Internet of Things (IoT) context, the number of connected devices can be too large for a centralised server. This paper focuses on how to enforce authorisation in such a distributed and dynamic environment. The key idea is to use a blockchain-based technology both as a way to maintain a common distributed ledger to store and use access control information, and as a way to enforce Access Control policies in the form of smart contracts. An implementation of an access-control system is presented as a proof of concept: it corresponds to an adaptation of the Capability-based Access Control Model (CapBAC) in the form of a transaction family in Hyperledger Sawtooth. The main claim is that the features and simplicity of CapBAC magnify the usefulness of a blockchain to control the access in the IoT.