We do not allow use of the disjunction in representation of elements of the
set 9#9. The disjunctive form policies such as ``Tom or Joe can read file 1#1'',
``Tom can read either file 1#1 or 2#2'' and ``Tom can either read or
write file 1#1'' is modeled by using separate policy statements.
Let us consider the exclusive 63#63 policy representation: ``Tom can read
files 1#1 or 2#2, but not both''. This policy is a variant of the Chinese
wall policy [6], required in the operation of many financial
services. The policy guards against the conflict of interest. A consultant
can freely chose a company in order to offer an advice. However, once the
company has been chosen, the consultant is mandatory denied access to the
information about all other companies. This policy can be implemented using
an additional condition, let us call it
64#64.
This condition activates the history of execution.
In conventional access control models, a subject has been a separate notion. A subject is an entity on whose behalf a request to access an object has been issued. Traditionally, policy conceptualization is based on three basic entity types: objects, access rights and subjects. Some of the possible logical groupings of these entities, such as ACL and capability, have become practical implementations of the Lampson matrix [8].
In the ACL based systems, policies are grouped by objects. A typical ACL is associated with an object (or a group of objects) to be protected and enumerates the list of authorized subjects and their rights to access the object.
In the capability-based systems, policies are grouped by subjects. A capability lists sets of objects accessible by the subject along with the types of access rights.
These logical grouping can be represented in our model.