Computing Publications

Publications Home » A simple and expressive semantic ...

A simple and expressive semantic framework for policy composition in access control

Glenn Bruns, Daniel S. Dantas, Michael Huth

Conference or Workshop Paper
FMSE 2007
November, 2007
Formal Methods in Security Engineering: From Specifications to Code
ACM Press

In defining large, complex access control policies, one would like to compose sub-policies, perhaps authored by different organizations, into a single global policy. Existing policy composition approaches tend to be ad-hoc, and do not explain whether too many or too few policy combinators have been defined. We define an access control policy as a *four-valued* predicate that maps accesses to either *grant*, *deny*, *conflict*, or *unspecified*. These correspond to the four elements of the Belnap bilattice. Functions on this bilattice are then extended to policies to serve as policy combinators. We argue that this approach provides a simple and natural semantic framework for policy composition, with a minimal but functionally complete set of policy combinators. We define derived, higher-level operators that are convenient for the specification of access control policies, and enable the decoupling of conflict resolution from policy composition. Finally, we propose a basic query language and show that it can reduce important analyses (e.g. conflict analysis) to checks of policy refinement.

PDF of full publication (400 kilobytes)
(need help viewing PDF files?)
BibTEX file for the publication
Copyright notice

The PDF is a preliminary version of the final version of the paper.

Conditions for downloading publications from this site. built & maintained by Ashok Argent-Katwala.