A set of architectural extensions to a machine of the type of IBM System/370 is proposed. The proposal involves hardware/software interaction to constrain the execution-time behavior of application and higher authority programs. The extensions consist of new states of privilege, enforcement of disciplined transition between states, hardware distinction of information types, and a mechanism to control data transfers between main and external storage. Application of the extensions to a shared database system, where users interact through a high-level language, shows that protection of the operating system and the database can be enhanced significantly with respect to errors or deliberate attacks from users