# Clark-Wilson Integrity Model

## Addresses information integrity control

* Uses the notion of **transactional data transformations**.
* Separation of duty: transaction certifiers $$\ne$$ implementers.

## Terminology

#### Data items

Constrained Data Item (**CDI**).

* Can only be manipulated by TPs.

Unconstrained Data Item (**UDI**).

#### Integrity policy procedures

* Integrity Verification Procedure (**IVP**).
  * Ensures that all CDIs conform to the integrity specification.
* Transformation Procedure (**TP**).
  * Well-formed transaction.
    * Take as input a CDI or a UDI and produce a CDI.
  * Must guarantee (via certification) that transforms all possible UDI values to “safe” CDI values.

## Certification and Enforcement

Integrity assurance.

* **Certification**.
  * Relatively to the integrity policy.
* **Enforcement**.

Two sets of rules.

* **Certification Rules (C).**
* **Enforcement Rules (E).**

### Rules

#### Basic rules

* C1: when an IVP is executed, it must ensure that all CDIs are valid.
* C2: for some associated set of CDIs, a TP must transform those CDIs from one valid state to another.
* E1: the system must maintain a list of certified relations and ensure only TPs certified to run on a CDI change that CDI.

#### Separation of duty (external consistency)

* E2: the system must associate a user with each TP and set of CDIs. The TP may access CDIs on behalf of the user if authorized.
* C3: allowed user-TP-CDI relations must meet “separation of duty” requirements

#### Identification gathering

* E3: the system must authenticate every user attempting a TP (on each attempt).

#### Audit trail

* C4: all TPs must append to a log enough information to reconstruct operations.

#### UDI processing

* C5: a TP taking a UDI as input may only perform valid transactions for all possible values of the UDI. The TP will either accept (convert to CDI) or reject the UDI.

#### Certification constraints

* E4: only the certifier of a TP may change the associated list of entities.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/notes-mcs/identification-authentication-and-authorization/access-control-models/clark-wilson-integrity-model.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.