Footnotes

... adaptive ¹

The term ``adaptive'' in this paper is used to indicate that the security policy to be enforced depends on the current state of the system, e.g., system load, system threat level or time of day (more restrictive organizational policy may be enforced during after hours).

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... resources ²

Mutual authentication may be required to prove the server identity to the user.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... object ³

Our framework supports negative rights. If all conditions associated with the negative right are met, the access is denied.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... block ⁴

The total order property is important to deal with possible side effects caused by the condition evaluation.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

... once ⁵

E.g., locking a file to place a hold on user account.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.