Transaction Control Expressions for Separation of Duties

We describe a model and notation for specifying and enforcing aspects of integrity policies, particularly separation of duties. The key idea is to associate a transaction control expression with each information object. This expression constrains the transactions which can be applied to that object to occur in the speci ed pattern. As operations are actually executed the transaction control expression gets converted to a history. This history serves to enforce separation of duties. We distinguish transient objects with a short lifetime from persistent objects which are long lived. Separation of duties is achieved by maintaining a complete history for transient objects but only a partial history for persistent objects. This is possible because of the system enforced rule that transactions are executed on persistent objects only as a side e ect of execution on transient objects.