Discussion of Condition Side-Effects

The total order property of the set 80#80 defined in () requires that policy elements that differ only by the order of condition elements are considered to be distinct. This property is important to deal with possible side effects caused by the condition evaluation. Consider a policy ``Tom can read file 1#1 only if notification is sent (notification condition) and system threat condition is low ( 103#103 condition)''. Assume that current system threat level is low. Assume that the notification about Tom reading file A triggers high system threat level. There are two ways to represent the policy in our model:

104#104

The evaluation of 105#105 results in access grant, however evaluation of 106#106 results in denial.

In this section we will discuss determining the correct order of the condition elements in the policy statement 4#4 defined in ().