Distributing and revoking access authorizations on abstract objects: a capability approach