Access evaluation is a significant issue in any intelligent information system. In this paper, we develop a logic programming based approach for decentralized authorization delegations in which users can be delegated, granted or forbidden some access rights. A set of domain-independent rules are given to capture the features of delegation correctness, conflict resolution and authorization propagation along the hierarchies of subjects, objects and access rights. The basic idea is to combine these general rules with a set of domain-specific rules defined by user to derive the authorizations holding in the system.
展开▼