The system should not allow users to specify direct references to system resources, such as filenames, database object id's, account numbers, etc. Rather, the system should use an object and function referencing scheme that is limited to the exact list of resources that the user is allowed to access.