With reference to a protection system featuring active subjects that attempt to access passive, typed objects,we propose a set of mechanisms supporting the distribution,verification,review and revocation of access privileges. In our approach, a protection domain is a collection of access rights for the protected objects. An access control list is associated with each object to specify the access rights in each domain. Objects are grouped into clusters.To access the objects in a given cluster, a subject presents a gate referencing this cluster. The gate is a form of password capability that identifies one or more domains.The gate grants the access rights specified for these domains by the access control lists of the objects in the cluster. A subject that holds a gate and is aimed at distributing the access privileges in this gate in restricted form can reduce the gate to eliminate domains; the gate reduction procedure requires no intervention of the protection system. A small set of protection primitives allows subjects to manage objects and access control lists. Forms of revocation of access permissions are supported, at both levels of gates and access control lists
