A Purpose-Oriented Access Control Model for Object-Based Systems

Distributed applications are modeled in an object-based model like CORBA [1]. Here, the system is a collection of objects. The objects are manipulated only through operations supported by themselves. The purpose-oriented model [2] is proposed where an access rule shows for what each subject s manipulates an object o by an operation t of o so as to keep the information flow legal. The purpose of s to access o by t is modeled to be what operation u of s invokes t to manipulate o. That is, the purpose-oriented access rule is specified in a form hs : u; o : ti. In the objectbased system, on receipt of a request op from an object o1, an object o2 computes op and then sends back the response of op to o1. Here, if the request and the response carry data, the data in o1 and o2 is exchanged among o1 and o2. Furthermore, the operations are nested in the object-based system. Even if each purpose-oriented rule between a pair of objects satisfies the information flow relation, some data in one object may illegally flow to another object through the nested invocation of operations. In this paper, we discuss what the information flow is legal in the nested invocations in the purpose-oriented model of the object-based system.