Abstract
A transaction is assigned with a purpose which is a collection of roles. Suppose a transaction T1 writes an object o2 after reading an object o1 and then another transaction T2 reads the object o2 and writes an object o3. Here, data in the object o1 might flow into o3 via o2. Unless T2 is granted a read access right of the object o1, illegal information flow occur. In order to prevent the illegal information flow, T1 marks the object o2 with the purpose of T1. T2 cannot read o2 unless the purpose of T2 includes a read right of o1. In result, the throughput is degraded. Objects whose information may flow into an object o are source objects of o.