Domain Type Access Control (1/2)

Every process has a domain, every object has a type

Domain is changed at process execution either automatically through policy or through code in "login" type programs

Different domains have different access rights, no domain is necessarily a superset of other domains

The user can re-authenticate at any time to change domains, or the domain can be changed automatically by process execution according to policy