Annotations on Complex Patterns Electronic Communications of the EASST Volume 58 (2013) Proceedings of the 12th International Workshop on Graph Transformation and Visual Modeling Techniques (GTVMT 2013) Annotations on Complex Patterns Paolo Bottoni, Francesco Parisi Presicce 14 pages Guest Editors: Matthias Tichy, Leila Ribeiro Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Annotations on Complex Patterns Paolo Bottoni1, Francesco Parisi Presicce1 1 Dipartimento di Informatica, “Sapienza” Università di Roma, Italy Abstract: Modelers of systems often want to isolate specific parts of a model to be treated as a whole, for example to protect them from accidental changes, to constrain them to specific policies, or to identify them as instances of a general pattern. In par- ticular, we study here the case in which these parts are annotated with information from some external model. In a previous paper, we have discussed the use of annota- tions on individual model elements, represented as nodes in a graph; in this paper we model annotation processes involving also annotations themselves or whole config- urations. To address the latter problem, we enrich the notion of graph by introducing a third sort of elements, called boxes, encompassing subgraphs, and associate them with annotations, too. We show how annotations on boxes support the modeling of complex policies, adapting the previous constructions for notation-aware rewrit- ing to include boxes. The paper illustrates these concepts on the concrete modeling scenario of an organisation with security and temporal annotations. Keywords: Annotations, graph configuration, box. 1 Introduction In system modeling, the need often arises to identify specific configurations within a complex model, and refer to them as a whole. In many cases, such configurations may involve a number of model elements which is not known a priori and which may vary dynamically. Such is the case with pattern-based modeling, especially of software systems, where several software patterns, usually relying on polymorphism, may be realised by arbitrary numbers of instances, as for example in the Strategy, Observer or Decorator patterns. While instances of patterns can be identified on the basis of the typical relations among their elements, constructs are needed to manipulate them as distinct individual model elements, persisting beyond their usage. The basic model of graphs, composed of nodes and directed edges, does not support in a natural way the notion of configuration, in particular where the extent of the configuration is not definable a priori. Hypergraphs provide a way to deal with such a problem, by allowing multiple tentacles to touch all the elements involved in a configuration [DKH97]. Triple graphs have been used to manage instances of patterns, where a specific node in the correspondence graph is connected to all the nodes establishing the correspondence between a model element in the model graph and an element representing the element role in the pattern graph [BGL10]. Both solutions, however, do not scale up to the need for composing configurations into more complex ones, so as to form configuration hierarchies. Indeed, for the hypergraph-based solution this would require the ability to define edges between hyperedges, whereas for the pattern-based solution, this requires that the intended composition of patterns be defined before-hand, while 1 / 14 Volume 58 (2013) Annotations on Complex Patterns the need for composition could be restricted to a specific model. Such a mechanism has been defined in [BGL10], but is not immediately extendable to configurations defined on the fly. This problem is particularly relevant in model-to-model transformation, in situations where the interest is in annotating configurations as a whole, so as to constrain the use of particular transformations only to elements in some configuration. We argue that the limitations of the graph-based modeling derive from the use of a single type of diagrammatic relation, connected- ness, which is not a transitive one. On the contrary, the containment relation, being transitive, naturally supports the representation of hierarchies, with the important property that removing a level of containment maintains the relation between the levels adjacent to the one removed. In this line, we adopt an extension of the notion of graph by introducing boxes, which are elements including subgraphs and other boxes as well. Boxes are naturally organised in contain- ment structures, but can also be the source and target of edges. It is to be remarked, however, that boxes are not organised in a proper hierarchy, as box containment does not induce a partial order, since anti-symmetry is not required. This allows for configurations where boxes can be mutually contained into one another, without being identified. Boxes were originally proposed in an informal way in [PP00], where they were called loops. We give here a formalisation of them and set them in the framework of model annotation and transformation, by making them the target of annotation edges. In this way, we extend the definition of annotation in [BP12], and provide a formal characterisation of annotations of con- figurations, which, though hinted at there, was not completely developed. Paper organisation. In Section 2 we formally define the required extension of graphs to con- tain boxes allowing structured arrangements of nodes and edges, as well as reference to entire subgraphs, while Section 3 introduces the running example of an organisational model annotated with temporal and security information. Section 4 presents the metamodel for annotation pro- cesses and formalises the notion of domain, and Section 5 illustrates the impact on the rewriting process of the combination of annotations and boxes referring to the running example. The paper ends with Sections 6 and 7 discussing related work and some concluding remarks, respectively. 2 Preliminaries We adopt the framework of typed graphs, and we extend the usual notion of graph with elements of a new sort, called boxes, allowing a nested structuring of graphs. Definition 1 A (directed) graph with boxes is a tuple G = (V,E,B,s,t,cnt), where: (1) V and E are sets of nodes and edges as in usual graphs; (2) B is a set of boxes, such that B∩(V ∪E) = /0; (3) the source and target functions s and t extend their codomains to V ∪B; (4) cnt : B→℘(V ∪B) is a function associating a box with its content1 with the property that if x ∈ cnt(b1) and b1 ∈ cnt(b2), then x ∈ cnt(b2). In the rest of the paper we refer to graphs with boxes as B-graphs or just graphs unless it is necessary to distinguish them. 1 Here and elsewhere ℘ denotes the powerset. Proc. GTVMT 2013 2 / 14 ECEASST Definition 2 A morphism f : G1 → G2 between B-graphs Gi = (Vi,Ei,Bi,si,ti,cnti) is a triple ( fV : V1 → V2, fE : E1 → E2, fB : B1 → B2) that preserves source, target and content function, i.e., fV∪B ◦s1 = s2 ◦ fE , fV∪B ◦t1 = t2 ◦ fE , and if x ∈ cnt1(b), then fV∪B(x) ∈ cnt2( fB(b)) for all x ∈V ∪B and b ∈ B, where fV∪B is the (disjoint) union of fV and fB. In a type B-graph T G = (V T ,E T ,BT ,sT ,t T ,cnt T ), V T , E T and BT are sets of node, edge and box types, respectively, while the functions sT : E T → V T ∪ BT and t T : E T → V T ∪BT define source and target node- and box- types for each edge type, and the function cnt T : BT → ℘(V T ∪BT ) associates each type of box with the set of types of elements it can contain. A B-graph G is typed on a type B-graph T G if there is a graph morphism type : G → T G, with typeV : V → V T , typeB : B → BT and typeE : E → E T s.t. typeV (s(e)) = sT (typeE(e)) and typeV (t(e)) = t T (typeE(e)). Moreover, given b ∈ B,x ∈ V ∪B, we have: x ∈ cnt(b) =⇒ typeX (x)∈cnt T (typeB(b)), where X is V or B, depending on x∈V ∪B. A morphism f : G1 →G2 between TG-typed graphs preserves the type, i.e. type2 ◦ f = type1. Any type graph morphism f T : T G1 → T G2 induces two functors, Incl f T from the category of T G1 typed graphs to that of T G2 typed graphs, and Forget f T in the opposite direction, in the obvious way. The result in Theorem 1 is already stated in [PP00] without proof. Theorem 1 [Category of B-graphs] All the B-graphs, typed over the same type B-graph T G, and all the type-preserving B-morphisms form a category GraphLTG closed under pushouts and pullbacks. Proof sketch. It is sufficient to deal with the last component cnt of a B-graph, as the rest can be viewed as a graph where the set of nodes is distinguished into V and B. The composition f 3 = f 1 ◦ f 2 : G1 → G3 satisfies the additional property about cnt: if x ∈ cnt(b1) then f 1V∪B(x)∈ cnt2( f 1B(b)) since f 1 is a morphism, and therefore f 3V∪B(x) = ( f 1 V∪B ◦ f 2 V∪B)(x) ∈ cnt3( f 3 B(b) = ( f 1B ◦ f 2 B(b)) since f 2 is also a morphism and the content function cnt is ’transitive’ by definition. Given a span of morphisms G1 f 1 ← G0 f 2 → G2, we construct its pushout G1 g1 → G3 g2 ← G2 in the usual way for the first five components, with morphisms gi : Gi → G3 preserving the source si and target ti functions for i = 1,2. To define cnt3 for G3, let b ∈ B3. Then, by construction, either b = g1(b1) = g1( f 1(b0)) and b = g2(b2) = g2( f 2(b0)) for some bi ∈ Bi and b0 ∈ B0, or b = g1(b1) for some b1 ∈ B1 and b 6= g2(b2) for any b2 ∈ B2 (the third possibility reversing the roles of 1 and 2 is similar). In the first case, cnt3(b) = g1(cnt1(b1))∪g2(cnt2(b2)), while in the second case cnt3(b) = g1(cnt1(b1)). The ’transitivity’ property of cnt3 follows from that of cnt1 and cnt2, while the universal property follows from the universal property of the union in Sets. Given a cospan of morphisms G1 g1 → G3 g2 ← G2, we construct its pullback G1 f 1 ← G0 f 2 → G2 in the usual way for the first five components. For b0 ∈ B0, we have g1( f 1(b0)) = g2( f 2(b0)) by construction and define cnt0(b0) ={x ∈ G0 | f 1(x)∈ cnt1( f 1(b0))∧ f 2(x)∈ cnt2( f 2(b0))}. We adopt the DPO (Double PushOut) approach to graph transformation [EEPT06], extending it to allow rewriting on B-graphs. A DPO rule consists of three (B-)graphs, called left- and right- hand side (L and R), and interface graph K. Two injective morphisms l : K → L and r : K → R model the embedding of K (i.e. the sub B-graph preserved by the rule) in L and R. Figure 1 (left) shows a DPO direct derivation diagram. Square (1) is a pushout (i.e. G is the union of L and D 3 / 14 Volume 58 (2013) Annotations on Complex Patterns through their common elements in K), modeling the deletion of the elements of L not in K, while pushout (2) adds the new elements, present in R but not in K. Figure 1 also illustrates the notion of negative application condition (NAC), of the form n : L → N that a match m : L → G should satisfy. A rule is applicable if there is no morphism q : N → G such that q◦n = m. N q ,, 6= Lnoo m �� (1) K (2) loo r // k �� R m∗ �� Ci j oi j // = Pi ni ,, = yi joo Lxioo m �� (1) K (2) loo r // k �� R m∗ �� G Dfoo g // H G Dfoo g // H Figure 1: DPO Direct Derivation Diagram for rules with NACs (left) and ACs (right). We denote the application of the rule p on a match m : L → G by G ⇒mp H and write G ⇒p H if H can be derived from G by applying p with respect to some match m for L in G. As with the traditional DPO approach to graph transformation, the existence of a morphism m from L to G is not sufficient to guarantee the applicability of the rule. The match m : L → G must satisfy the Gluing Conditions, which extend naturally the original ones: the Dangling Conditions must be satisfied by all edges, including those with a box as source/target entity, and the Identification Condition must be satisfied not only by edges and vertices, but also by boxes. Theorem 2 (Gluing Conditions) Given a rule p = (L l← K r→ R) (a span of B-graphs and mor- phisms), and a morphism m : L → G, let IDmX ={x ∈ XL |∃y ∈ XL[x 6= y∧mX (x) = mX (y)]} with X = V,B,E, and DANGm = {x ∈ VL ∪BL | ∃e ∈ EG \mE(EK)[mV∪(B)(x) = sG(e)∨mV∪(B)(x) = tG(e)]}. Then the pushout complement D exists iff: (1) DANGm ⊆ l(K), (2) IDmX ⊆ lX (K). Just as the traditional Gluing Conditions can be extended to B-graphs, it is easy to verify, by choosing as distinguished class M the injective B-morphisms, that GraphLTG is an HLR1- category, thus enjoying all the usual properties related to the Church-Rosser and Parallelism The- orems [EHKP90]. It is still open whether the equivalent of the Amalgamation and Concurrency Theorems hold. The proof that the HLR1 properties hold can be reconstructed by starting with the fact that typed graphs form an HLR1-category, and then completing it by noticing that the added component, the function cnt, for the pushouts and pullbacks in GraphLTG is constructed using set union and set intersection and that the category Sets is HLR1 as well [EHKP90]. Given T G-typed rules pi : Li li← Ki ri→ Ri, i = 1,2, a rule morphism h : p1 → p2 is a triple hX : X1 →X2, with X = V,B,E, of T G-typed morphisms with hR◦r1 = r2◦hK and hL◦l1 = l2◦hK . An atomic constraint is a total morphism between typed attributed graphs c : P →C. A graph G satisfies c, noted G � c, if for each match morphism m : P → G there exists a morphism y : C → G s.t. y◦c = m. If c : P →C is an atomic constraint, then ¬c is also an atomic constraint, and G � ¬c iff G 2 c. We call negative atomic constraint2 an atomic constraint of the form nP = ¬iP : P → P, where iP is the identity morphism, and G � nP iff @mP : P → G. We call M(c) = {G | G � c} the set of models for c, and we work with consistent sets of constraints C , i.e. ⋂ ci∈C M(ci) 6= /0. We use different types of morphisms depending on the domain and the usage, both for constraints and rules. A constraint morphism k : ac1 → ac2 is defined in a way 2 In this paper, we deal only with positive atomic constraints. Proc. GTVMT 2013 4 / 14 ECEASST similar to a rule morphism, i.e. it is a pair kX : X1 → X2, X ∈{P,C}, of T G-typed morphisms s.t. hC ◦r1 = r2 ◦hP. Figure 1 (right) shows that an atomic constraint can be associated with a rule as an application condition AC, of the form {xi : L → Pi,{yi j : Pi →Ci j} j∈Ji}i∈I , for a match m : L → G of the LHS of a rule, where I and Ji are index sets for each i ∈ I. An AC is satisfied by m if, for each ni : Pi → G s.t. ni◦xi = m, there exists some oi j : Ci j → G s.t. oi j ◦yi j = ni. A NAC can also be seen as a particular case of AC where {yi j : Pi →Ci j} j∈Ji}= /0. A general application condition (GAC) is a composition of nested constraints, together with a formula on their matches, built with the operators ∃, ∀, ∧ and ∨. From this point on, a rule is a pair p = (r,ac) consisting of a span of morphisms r = L l← K r→ R = π1(p) and a general application condition ac = π2(p). 3 Running example: security annotations on teams We present the running model for this paper, discussing the use of boxes and annotations in the rewriting process with reference to an organisational domain in which members can access areas, and teams can be formed. Teams are represented as boxes which can include both members and areas. If a member m and an area a belong to the same team t, the access of m to a is considered to be within the scope of t as well. We consider the annotation of this domain with contextual in- formation from two domains. The first, a security domain, is defined for simplicity as a collection of security levels which can be compared via a reflexive and transitive relation, called dominates. The second domain provides temporal information, which is defined by periods expressed with reference to a calendar model of time [BBF01]; a period corresponds to some recurrence in the calendar at some granularity level (e.g. dayTime, nightTime, or weekDays). Again, a period p1 can dominate a period p2, if p1 completely encompasses p2. We consider annotation processes where security levels are associated with areas, members, or teams to establish constraints on access or on inclusion in a team, while calendar periods are associated with a model configuration, as represented by a box encompassing a graph, to give information on the current period. Calendar periods can also be used to annotate security annotations, denoting their periods of validity, thus realising a nested form of annotation. The setting for the annotation process is summarised by the type graph in Figure 2, presented as a UML class diagram, where stereotypes have been used to distinguish between types of box and types of nodes. Another set of stereotypes is used to identify the domain (organisational, security or temporal) from which the types originate, or to indicate that a node indicates the presence of an annotation. The cnt T function is such that cnt T (Conf) = {Member,Area,Team} and cnt T (Team) = {Member,Area}. The edges from the two annotation nodes indicate that nodes of the organisation domain are annotated with domain elements from the security and temporal domains. Moreover, nodes representing security annotations can be in turn annotated with information from the temporal domain, to indicate the periods in which the annotation is valid. Indeed, the type graph depicted in Figure 2 is the outcome of a complex annotation process, where the organisational domain is first annotated with security information, and then the resulting domain is annotated with temporal information. A number of constraints define the acceptable relations among annotations on the organisa- tional domain. For example, the constraint isAccessSecure in Figure 3 (left) states that if an area is accessed by a member and both area and member are annotated with some security level, 5 / 14 Volume 58 (2013) Annotations on Complex Patterns Figure 2: The type graph for the running example. then the security level of the member must dominate that of the area. Similarly, the constraint isTeamSecure in Figure 3 (right) requires that an area can be assigned to a team if the team has the necessary authorisations to use the resources in the area, i.e. has a higher security level. An analogous constraint is defined for inclusion of members in a team. C1 access isAccessSecure :Team P 3:SecAnn 1:Member 2:Area 4:SecAnn lev1:Level lev2:Level dominates C :Team 3:SecAnn 1:Member 2:Area 4:SecAnn lev1:Level lev2:Level access :Team C3 P 3:SecAnn 1:Member 2:Area 4:SecAnn lev1:Level lev2:Level dominates C isTeamSecure :Team 3:SecAnn 1:Member 2:Area 4:SecAnn lev1:Level lev2:Level Figure 3: Security constraints on access (left) and teams (right). We adopt a concrete representation derived from UML instance diagrams, where instances of the box sort are defined as rectangles surrounding their content, nodes from the organisation domain are usual instance rectangles, nodes representing annotations are rectangles with rounded corners, and nodes representing elements from the security and temporal domains are ovals. A box of type Team has a yellow background, and a box of type Conf has a pale green background3. When morphisms are involved, they are represented by the matching of numbers in the names of elements. Edges appearing in both graphs and associated with identified elements in the morphism are considered to be identified as well. We only show the types of edges from the various domains, the types of the annotation edges being easily inferrable. We also show some of the rules by which graphs in the organisational domain can be formed, leaving details on the annotation process for Section 5. Rule simpleAccessWithoutTeams in Figure 4 (left) grants members access to areas when both members and areas are outside the scope of any team, while rule teamAccess in Figure 4 (right) allows access within the scope of a single team. In this paper, since we deal only with non-deleting rules defined by injective morphisms, we only indicate the L and R components of the rules, the K component being equal 3 Lighter gray and darker gray in a greytone print, respectively. Proc. GTVMT 2013 6 / 14 ECEASST to L. Constants define concrete values for annotations. For the remaining rules, we assume that a NAC is always present excluding membership in some team, unless this is required, and that NACs prevent the application of rules where security information is required. 1:Member 2:Area L 1:Member 2:Area R access rule1 1:Member N1 :Team simpleAccessWithoutTeams 2:Area N2 :Team 1:Member 2:Area L access 3:Team 1:Member 2:Area R 3:Team rule2 teamAccess Figure 4: Rules for access for non-teamed elements (left) and within a team (right). Figure 5 presents a snapshot of an organisation as a graph G, together with some annotations, with three members and two areas. Two members and one area are within a team, and security levels are associated with the area and with the team as a whole. Another area is annotated with two security levels, each valid during a different period. The whole graph is annotated to indicate that this snapshot is taken at daytime. We do not explicitly present the edges representing the dominates relation between levels, which can be inferred from the names of the levels. dayTime:Period :TimeAnn G paul:Member a9:Area high:SecLevel :SecAnn frank:Member alex:Member :SecAnn :SecAnn :TimeAnn A19:Area :SecAnn low:SecLevel :SecAnn top:SecLevel nightTime:Period :TimeAnn fm:Team curr:Conf :SecAnn :SecAnn Figure 5: A snapshot of an organisation with security and temporal annotations. 4 Annotatable elements Figure 6 presents the metamodel at the basis of the proposed extension, refining the one pre- sented in [BP12]. Annotations represent dynamical relations established between annotatable 7 / 14 Volume 58 (2013) Annotations on Complex Patterns elements and domain entities; annotatable entities are either elements representing annotations (AnnotationTypeNode) or elements representing some domain notion (DomainConcept). We consider three types of domain concepts: entities, relations and configurations, recursively composed of concepts. Constraints on AnnotationTypeNode and the DomainConcept maintain the notions of domain and of annotation consistent with one another. In particular, a domain configuration is composed of domain concepts, all belonging to the same domain, while an annotation relates a domain concept with an entity from a different domain. Note that a do- main concept can be annotated only with domain entities, not with configurations. The notion of domain is induced from the notion of type graph, as per Definition 3. Figure 6: The extended metamodel for complex annotations. Definition 3 (Domain) Given a type graph T G and a set C of constraints on it, a domain is the set of graphs typed, by T G, that satisfy all of the constraints in C . This organisation allows the flexible annotation of subgraphs, besides individual nodes or edges, with domain elements. Moreover, the DomainConfiguration meta-type realises a special form of the Composite pattern, one which admits cycles. With reference to the type graph of Figure 2, we observe that <> types are instances of DomainEntity, while <> types are instances of DomainConfiguration and <> types are instances of AnnotationTypeNode. Edge types in the type graph conform in the obvious way with the edge meta-types in the metamodel. Given a graph G1 = (V1,E1,B1,s1,t1,cnt1) in a domain D1, an annotated version of G1 on the domain D2 is constructed as G′ = (V ′,E′,B′,s′,t′,cnt′), where V ′ = V1∪A∪V2, E′ = E1∪EA∪E2, with: A the set of nodes whose type is an instance of AnnotationTypeNode, V2 a set of nodes typed in T G2, EA edges relating annotation nodes with elements in V1∪B1 or V2, E2 edges typed on T G2 and relating nodes in V2, s′ and t′ suitable extensions of s1 and t1 to include EA ∪E2 and Proc. GTVMT 2013 8 / 14 ECEASST VA ∪V2 in their domains and codomains, respectively. Hence, we allow only the use of nodes, and not of edges or boxes as values for the annotations, while any type of element from the application domain graph can be annotated (we do not consider edge annotation in this paper). Moreover, B′=B1∪Ba, where Ba is a new set of nodes containing subgraphs of G1, and associated with some node in A, i.e. boxes which are not part of the original model, but which are created to support some annotation. We do not present examples of boxes in Ba in this paper. The previous definitions of t′ and cnt′ are therefore enriched accordingly. Since AnnotationTypeNode is a type of AnnotatableEntity annotations can be nested. In particular, an annotation node an1, connecting an element x of a domain D with some entity v1 of a domain D1, can be annotated, through an annotation node an2, with an element v2 of a third domain D2. We require that nested annotations do not form cycles on domains. Such an annotation is interpreted as constraining the validity of an1 in the context denoted by v2. 5 Rewriting with annotations We now discuss the impact of annotation processes on the original rules and constraints in the organisational domain by presenting a collection of rules derived from rules teamAccess and simpleAccessWithoutTeams (see Figure 4), as well as an extension of constraint isAccessSecure (see Figure 3). Since we have rules with K = L, we use the construction given in [BP12] for the SPO approach, that we summarise here. Hence, for a rule r : L → R and a constraint c : P →C, where R has a non-empty intersection Z with P, we build two graphs X and Y and morphisms x : L → X and y : X →Y . X contains the elements in L and in P, without con- sidering elements added by R to L, with potential duplicate elements identified through r and Z, while Y integrates the elements in C, again with all the necessary identifications. The morphisms x and y are derived by requesting all compositions to commute. As an example, composing con- straint isTeamSecure of Figure 3 (right) and rule simpleAccessWithoutTeams above produces rule securedAccess in Figure 7, where we have left the NACs understood. rule6 L 1:User 2:Area R access 1:User 2:Area X 3:SecAnn 1:User 2:Area 4:SecAnn lev1:Level lev2:Level dominates Y 3:SecAnn 1:User 2:Area 4:SecAnn lev1:Level lev2:Level securedAccess Figure 7: Composing simpleAccessWithoutTeams and isAccessSecure. In a similar way, constraint isTimeConsistent in Figure 8 states that an area annotated with some period information can be accessed only during that period (i.e. in a configuration annotated with that period). Its composition with rule simpleAccessWithoutTeams pro- duces rule timedAccessArea in Figure 9. 9 / 14 Volume 58 (2013) Annotations on Complex Patterns c4 3:TimeAnn 4:Period :TimeAnn P C 3:TimeAnn 4:Period 1:Member 2:Area access 1:Member 2:Area :Conf access isTimeConsistent Figure 8: A temporal constraint on access. 1:Member 2:Area L 1:Member 2:Area R access 4:TimeAnn 5:Period :TimeAnn 1:Member 2:Area X Y 4:TimeAnn 5:Period 1:Member 2:Area rule3 6:Conf 5:Conf timedAccessArea Figure 9: Composing simpleAccessWithoutTeams and isTimeConsistent. The combination of the two constraints above on one area gives rise to a conjunction of the corresponding application conditions, as exemplified by rule securedTeamTimedAccess in Figure 10, where ac1 and ac2 stand for the whole application conditions in Figures 9 and 7. rule5 ac2 ac1 1:Member 2:Area L 1:Member 2:Area R access securedTeamTimedAccess 1:Member 2:Area 3:Team dominates 4:Ann 5:SecLevel 6:SecAnn 7:SecLevel 10:TimeAnn 9:Period :TimeAnn 1:Member 2:Area 8:Conf Figure 10: Combining application conditions. We now discuss how the progressive nesting of applications causes the modification of the rules derived from constraints. Figure 11 shows constraint isTimeSecurityConsistent, which extends constraint isAccessSecure with a temporal annotation on the security anno- tation of an area, analogous to the one used to derive rule timedAccessArea. Then, we need to extend the application condition for rule securedTeamAccess. Let ac : X →Y be the morphism in the application condition derived from isAccessSecure (de- Proc. GTVMT 2013 10 / 14 ECEASST C2 3:SecAnn 1:Member 2:Area 4:SecAnn 7:Level 8:Level P access 5:TimeAnn 6:Period C 3:SecAnn 1:Member 2:Area 4:SecAnn 7:Level 8:Level access 5:TimeAnn 6:Period :TimeAnn :Conf isTimeSecurityConsistent dominates Figure 11: Extending security constraint isAccessSecure with a temporal annotation. fined by c1 : P1 → C1) and ac2 : Y1 → Y2 be the morphism in the application condition derived from isTimeSecurityConsistent. The intersection between P1 and Y1 is exactly X . Then we transform the original atomic application condition into a general application condition re- sulting from the conjunction of the original case and the extended case, as expressed by the formula ∀mX [∃mY ∧∀mY1[∃mY2]], where mZ , Z = X,Y,Y1,Y2, indicates the existence of a match for the graph Z which extends, according to the morphisms in the application condition, a match for L in the host graph G. The resulting rule, timedAccess, is shown in Figure 12. rule7 3:SecAnn L 1:Member 2:Area R access 1:Member 2:Area 1:Member 2:Area 4:SecAnn 5:Level 6:Level X 3:SecAnn 1:Member 2:Area 4:SecAnn 5:Level 6:Level dominates Y 3:SecAnn 1:Member 2:Area 4:SecAnn 5:Level 6:Level Y1 5:TimeAnn 7:Period Y2 3:SecAnn :Member :Area 4:SecAnn 5:Level 6:Level 5:TimeAnn 7:Period :TimeAnn ]]2[[ YY1YX  :Conf timedAccess Figure 12: Extending rule securedAccess after isTimeSecurityConsistent. For the host graph in Figure 5 rule timedAccess is applicable on a match formed by mem- ber Alex and area 19, while rule securedAccess is applicable twice, to both members Frank and Paul, for area 9. Thanks to the transitivity of cnt, also rule securedTeamTimedAccess can be applied in this case. As they belong to a team, they cannot access area 19 outside of it, 11 / 14 Volume 58 (2013) Annotations on Complex Patterns nor can Alex access area 9. Figures 13 and 14 show the resulting graphs. G=>H (applicando rule7) dayTime:Period :TimeAnn H paul:Member a9:Area high:SecLevel :SecAnn frank:Member alex:Member :SecAnn :SecAnn :TimeAnn A19:Area :SecAnn low:SecLevel :SecAnn top:SecLevel nightTime:Period :TimeAnn fm:Team curr:Conf access :SecAnn :SecAnn Figure 13: The graph H generated by applying the rule of Figure 12 to the graph G. G=>H (applicando rule4) dayTime:Period :TimeAnn H paul:Member a9:Area high:SecLevel :SecAnn frank:Member alex:Member :SecAnn :SecAnn :TimeAnn A19:Area :SecAnn low:SecLevel :SecAnn top:SecLevel nightTime:Period :TimeAnn fm:Team curr:Conf access access :SecAnn :SecAnn Figure 14: The graph H generated by applying twice the rule of Figure 7 to the graph G. 6 Related work We discuss here literature relative to modeling with boxes. For a discussion of work related to annotations, see [BP12]. In [PP00], the notion of box was introduced (called there loop), where a box encloses a subgraph or other graphs recursively, and an extension of the notion of graph rewriting was proposed to encompass rewriting of graphs with boxes. The proposal in this Proc. GTVMT 2013 12 / 14 ECEASST paper capitalises on this notion, allowing boxes to be annotated, thus constraining the possible transformations in graphs with annotations. The study of families of diagrammatic relations and of their adequacy to modeling domains exhibiting specific relations has been conducted in [BG04] and [FB05]. The motivation for boxes is analogous to that for introducing Hierarchical Graphs in [DHP02]. These identify some specific types of hyperedges as containing entire graphs, and of multi-level graphs [PP95], where some nodes may hide some part of a graph at some level of abstraction. In this case, the resulting structure is not a strictly hierarchical one. The notion of views, realised through distributed graphs [GMT99], allows the composition of partial specifications of a model, not necessarily in a nested way, but considering levels of abstraction separately. Boxes as proposed in this paper allow both the definition of hierarchies and the composition of different views, with elements which may belong to different hierarchies. 7 Concluding Remarks We have presented an approach to enriching models of application domains with constraints coming from contextual domains through the use of annotations relating values from the latter one to model elements of the former one. By extending the notion of graph to include boxes which can be source or target of edges (in particular, target of annotation edges), we extend the definition of annotation provided in [BP12], and provide here a formal characterisation of annotations of configurations, which was not com- pletely developed there but only hinted at. Boxes can be nested, allowing the construction of complex configurations. This extension allows modelers to express and reason about complex interplays among annotations exploiting elements from different domains. It is important to no- tice that boxes are a first-class modeling construct, independent of their content. Hence, two boxes can have the same exact content, without being identified or without being contained into one another. Conversely, two boxes can be mutually contained into one another, again sharing the same content, but maintaining possible independent evolutions. Finally, boxes can be used as place-holders for collections of elements yet to be defined. For example, teams can be formed and annotated before assigning members to them. Among several aspects still to be investigated in details is the question of maintaining con- sistency with respect to annotations. In particular, if an annotated element is removed, than the corresponding annotations should be removed as well. This could be accomplished through units, with a preliminary removal of the annotation followed by a simple DPO rule. Also under investigation is the possibility of defining boxes within the SPO approach. In this case, repair actions could be used after removing an annotated node (and the annotation edge which had that node as a target) to remove the annotating node. Bibliography [BBF01] E. Bertino, P. A. Bonatti, E. Ferrari. TRBAC: A temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4(3):191–233, 2001. 13 / 14 Volume 58 (2013) Annotations on Complex Patterns [BG04] P. Bottoni, A. Grau. A Suite of Metamodels as a Basis for a Classification of Visual Languages. In Proc. VL/HCC’04. Pp. 83–90. IEEE CS, 2004. [BGL10] P. Bottoni, E. Guerra, J. de Lara. A language-independent and formal approach to pattern-based modelling with support for composition and analysis. Information & Software Technology 52(8):821–844, 2010. [BP12] P. Bottoni, F. Parisi-Presicce. Modeling context with graph annotations. ECEASST 47, 2012. [DHP02] F. Drewes, B. Hoffmann, D. Plump. Hierarchical Graph Transformation. J. Comput. Syst. Sci. 64(2):249–283, 2002. [DKH97] F. Drewes, H.-J. Kreowski, A. Habel. Hyperedge Replacement, Graph Grammars. Pp. 95–162. World Scientific, 1997. [EEPT06] H. Ehrig, K. Ehrig, U. Prange, G. Taentzer. Fundamental Theory for Typed At- tributed Graphs and Graph Transformation based on Adhesive HLR Categories. Fun- dam. Inform. 74(1):31–61, 2006. [EHKP90] H. Ehrig, A. Habel, H.-J. Kreowski, F. Parisi-Presicce. From Graph Grammars to High Level Replacement Systems. In Graph-Grammars and Their Application to Computer Science. Pp. 269–291. 1990. [FB05] F. Fondement, T. Baar. Making Metamodels Aware of Concrete Syntax. In Proc. ECMDA-FA. LNCS 3748, pp. 190–204. Springer, 2005. [GMT99] M. Goedicke, T. Meyer, G. Taentzer. ViewPoint-Oriented Software Development by Distributed Graph Transformation: Towards a Basis for Living with Inconsistencies. In Proc. RE’99. Pp. 92–99. IEEE CS, 1999. [PP00] F. Parisi-Presicce. Which Graphs for Visual Modeling? In ICALP Satellite Work- shops. Pp. 383–386. 2000. [PP95] F. Parisi-Presicce, G. Piersanti. Multilevel Graph Grammars. In Proc. WG’94. Lec- ture Notes in Computer Science 903, pp. 51–64. Springer, 1995. Proc. GTVMT 2013 14 / 14 Introduction Preliminaries Running example: security annotations on teams Annotatable elements Rewriting with annotations Related work Concluding Remarks