The orange book requires the ability to audit access authority. If x has been granted access to y it may be desired to know what times this authority is used. This is an application of revocation {(revoke)}.

Segment S holds different information at different times and access to S by Y is to be audited. An auditor, holding a key to S creates a node N and formats N as a segment node and places the key to S in N. A segment key to N is given to Y who may use it as a memory key to access S. The auditor retains a node key to N.

If the audit policy is to maintain a record of which hours of the day Y accesses S then the auditor proceeds as follows: The auditor places a keeper key in N to a keeper of its own design. The auditor then invalidates the N segment making any reference to S via N invoke the keeper. The keeper notes the time and makes access to S via N valid once more. The keeper also delays until the end of the next hour and then invalidates access once more.

This scheme may clearly be adapted to dynamically established periods of time depending on when the contents of S change. Indeed if access is revoked then the very next instruction may place data in S and access to this data by Y will be audited.

See (syn-rev) about issues with revocation of objects defined by start keys.