Policy Specification Language Design

摘要

The purpose of this investigation was to aid developers of groupware applications, such as applications using Lotus Notes, in choosing appropriate security controls. Products such as Lotus Notes have security controls (e.g., access control lists, encrypted sections, and digital signatures) for building applications that meet complex security policies. It may be difficult for the application developer to select the right combination of controls to meet the desired security policy. This report describes a security policy language that can express general policy constraints on users and data, as well as constraints that directly map to Lotus Notes security controls. It can capture both the type of protection desired as well as some aspects of the assurance level.