576 CHAPTER 23 Policies, Access Control, and Formal Methods only two administration operations would be required. The notion of negative authorization was initially proposed as part of the Orion autho- rization model [7]. It has then been adopted by various systems and models, including Windows 2000 and XACML (see Section 23.2.5). access a small subset of the protected objects and thus most entries in the matrix would be empty. Alternative approaches to the efficient implemen- tation of the protection matrix are based on the use of a set of access control lists or capability lists. These structures have the feature that only relevant matrix entries are stored, with empty matrix entries being ignored. An access control list is associated with an object and consists of a number of entries defining the rights assigned to each subject for that object. In contrast, a capa- bility list is associated with a subject. Concep- tually, a capability list is a list of permissions; each such permission identifies an object and the rights that have been assigned to the subject for that object. In other words, each permission in a capability list for a subject specifies how that sub- ject may interact with the object specified in the permission. Approaches based on access control lists have 23.2.2. Mandatory Access Control Model Unlike the access control models based on the notion of access control matrix, in the manda- tory access control, the access control decisions are based on specific relationships between the subject requesting access and the object to which access is requested. An important motivation for the mandatory access control is to control the flow of information once the information has been accessed. Access control mechanisms based