Example 1

Figure 3 shows an example of an access control specification using this model. Subject has values , , and . That is, represents one subject, , and is assigned to one subject type, . Since the only route from propagation of permissions is through , 's permissions are defined by . The value of and, since is an aggregate its permissions are . Since is an aggregate as well, its permissions can be further decomposed.

For expressing constraints in this model, we also use a set-based approach [11]. In general, constraints are expressed in terms of two sets and a comparator function, , where represents some comparator function. Such comparators are set operations, such as disjointness (i.e., null intersection), cardinality of intersection, subset relations, etc.