One of these is greatly enhanced by the rigorous use of the information hiding principle. All Timor objects (regardless whether they are separate files or small objects within programs or files) are protected by a capability mechanism. This means that only a caller with an appropriate capability (called a capability for major object such as files and programs, but called a reference for smaller objects within these) can invoke an interface method of an object. Even within a single program or file the code cannot simply access every small object. It needs a reference to do this.

A capability (or reference) not only contains a pointer which allows the object to be located, but also contains a set of "access rights" [16], see Figure 5. These specify which interface methods of the object can be invoked via the capability (see the section "Semantic Files" under "Information Hiding"). In other words it is not only sufficient for a program to possess a capability for an object; it must have a capability with the access right set for the interface method which it wishes to call.

A Capability

Only those processes/threads, for example, which have a capability with the "add interest" right set will be able to call the routine that adds interest to the bank account instance. Thus it is possible to allow the teller's program to have a capability which has rights for example to open and close accounts and make deposits for customers, but not the rights to add interest or to authorise an overdraft. These rights could for example be reserved for the programs in the accountant's department and/or for manager see Figure 6.

Access Rights expressed as Semantic Operations

Timor also has other ways of protecting information based on the right to call the interface methods (which can also be used for example to revoke a capability), but these depend on other features of the Timor language which are described in the Timor Language Description [17].