Read Access Control and Circular Replication

Bx Examples Repository

Title: Read Access Control and Circular Replication

Version: 0.1

Type: Sketch


A very sketchy example that demonstrates several difficulties arising from read access control (due to intellectual property protection between organizations, or export control regulations between remote offices of a single multinational organization) and circular networks of BXs. Since the focus is on the read access limitations and the BX network topology, the internal structure of the models and the notions of consistency are deliberately simplistic.


We have five primary model spaces M, A, B, C, D. The overall system is described by a multimodel (tuple) <m,a,b,c,d>, all combinations of which are considered consistent in this simple example (syntactically consistent at least). In the following, we will call these attributes.

The system is developed in collaboration of four engineers (organizations, departments etc.) X, Y, Z, and W. Each of them is aware of the universally shared attribute M and 3 of the other attributes, but is not allowed to learn the fifth one.

  • X does not know A, and only has M, B, C, D as attributes of their model (i.e. the model space X is the Cartesian product of M, B, C, D)
  • Y does not know B, and only has M, A, C, D as attributes of their model
  • Z does not know C, and only has M, A, B, D as attributes of their model
  • W does not know D, and only has M, A, B, C as attributes of their model


The system is consistent if, for any attribute among M, A, B, C, D, all engineers that can access the attribute have the same value for it in their local model.

Each engineer is in contact with two other participants and is not aware of the fourth one. Those who are in contact may exchange their three mutually known attributes in a BX, but not allowed to share the other two attributes.

The contacts are arranged in a cycle:

  • X is in contact with Y over C, D and M
  • Y is in contact with Z over D, A and M
  • Z is in contact with W over A, B and M
  • W is in contact with X over B, C and M

The network thus consists of four BXs arranged in a cycle topology.

Consistency Restoration

The local notion of consistency between two neighbours is fairly simplistic: they shall agree on the three common attributes. A single step of binary consistency restoration would thus either

  • do nothing (if the three attributes already match), or
  • copy one attribute from one participant to the other, or
  • copy two attributes from one participant to the other, or
  • copy all three attributes from one participant to the other, or
  • copy one attribute in one direction, and another attribute in the opposite one (note: this is only possible with reflective update)
  • copy two attributes in one direction, and another attribute in the opposite one (note: this is only possible with reflective update)

The degrees of freedom are:

  • for an individual act of binary restoration, which of the above options shall be chosen, for which attributes and in which direction
  • in which sequence shall the individual BXs be executed


We expect that if one engineer modifies one or more attributes, the network will be able to fire BXs in some order (or in any arbitrary order?) to reach a state in finite number of steps where each of these updates have reached all concerned participants (but not the unconcerned one). The approach may be required to tolerate a different attribute being modified while the propagation is in progress. The approach even be required to tolerate one of the attributes under update being modified again (by the same or another node) in the meantime; in this case, the task is only well defined if the attribute contains some kind of reified update timestamp.


Obviously, the example generalizes to more participants, more convoluted BX network topologies, more attributes etc.


Some points of note:

  • We know that binary BX can be decomposed into a span of asymmetric lenses descending from a central "union of all knowledge of the two participants" model. However, due to access control, this is not admissible here; though we can still apply co-spans of lenses descending into a shared "intersection of knowledge of the two participants" model.
  • The BXs themselves must work correctly in unusual situations:
    • Updates started at one participant may propagate in different directions, yet meet later at another participant.
    • It is possible that two participants both have a recently updated model, and they must exchange information in two ways (regarding different attributes) rather than one simply updating the other.
  • Although the BXs look trivial, the non-interference property (see P. Stevens, Bidirectional Transformations in the Large, MODELS 2018) does not hold (it is a good exercise to figure out why). Still, one would expect that the whole network is resolvable, the resolution process is confluent and that (barring asynchronous updates) it terminates irrespective of the order of execution.
  • The solution would either be some orchestrated protocol of global coordination (questionable if not all actors are allowed to know about each other); or alternatively a bunch of local rules that individual BXs must adhere to and which satisfy the global goals in an emergent way. In the latter case, the timestamp / recency of the updated values must be considered (e.g. reified into the model).


Gábor Bergmann


We intend that examples remain provisional (version 0.x) until reviewed (and approved, if necessary after modification) by other members of the wiki. In the interest of traceability and credit, such reviewers are identified here.


This is where any member of the wiki can comment.

Artefacts [optional section]

Formal descriptions, perhaps downloadable code, example inputs and outputs, virtual machine instances, diagrams…

Unless otherwise stated, the content of this page is licensed under GNU Free Documentation License.