Information flow in a purpose-oriented access control model

In distributed applications, a group of multiple objects are cooperating to achieve some objectives. An object is modeled as a pair of data structures and operations. Each object is manipulated through an operation supported by the object and then the operation may further invoke operations of other objects, i.e., nested operations. The purpose-oriented access rules indicate which operation on each object can invoke operations of other objects. The information flow among the objects occur if the requests and responses of the operations carry some data. Only the purpose-oriented access rules which imply the legal information flow are allowed. We discuss how to test the access rules if the information flow occurring in the nested invocation of the operations is legal.