Note that in the implementation, some of these conditions might have side effects. For example, evaluation of payment and quota conditions reduce a balance. Evaluation of notification condition results in sending a message, which is useful in audit.
Unfortunately, side effects complicate the system. Ignoring the side effects might cause problems when the side effects create a feedback loop, for example, when an audit record triggers a network threat detection which affects the evaluation of subsequent policies, or where payment affects quotas which affects the ability to perform other operations (once one runs out of money).
Another problem caused by the side effects, is possible inconsistency of the authorization result. For example, consider a policy ``Tom can shut down host 6#6 only if a notification is sent (notification) and system threat level is low (system_threat_level:low)''. Assume that the current system threat level is low. Assume that the notification about Tom shutting down the host triggers high system threat level (this may indicate attempted denial of service attack). There are two ways to evaluate the conditions: first system_threat_level:low then notification. This evaluation order results in access grant. Another way is to evaluate notification condition first then system_threat_level:low. This evaluation order results in the denial of the access.
All side effects of the condition evaluation are recorded in the corresponding system variables. At the lowest level, a system variable is an abstraction for bits or bytes in the system that change as the result of system execution. For example, to model a system variable affected by the evaluation of the notification condition (a message must be sent), we need better level of abstraction. Thus, a system variable is an abstract notion of a system entity that represents a data item, e.g., a file, a message or a record in a database. Each system variable has a name and a value.
We assume that there exists a set of software components 7#7. Each software component 8#8 can access system variables of particular type. For example, a system variable, which represents a file is accessed by a file system. A system variable, which represents a notification is accessed by a notification protocol, or a transport protocol, such as e-mail or http.
We assume that each software component 9#9 has abstract 10#10 and 11#11 operations as a part of its functionality. The read operation 12#12 returns the value of the system variable 13#13. The write operation 14#14 assigns a new value 15#15 to the system variable 13#13.