In defining large, complex access control policies, one would like to compose sub-policies, perhaps authored by different organizations, into a single global policy. Existing policy composition approaches tend to be ad-hoc, and do not explain whether too many or too few policy combinators have been defined. We define an access controlpolicy as a four-valued predicate that maps accesses to either grant, deny, conflict, or unspecified. These correspond to the four elements of the Belnap bilattice. Functions on this bilattice are then extended to policies to serve as policy combinators. We argue that this approach provides a simple andnatural semantic framework for policy composition, with a minimal but functionally complete set of policy combinators. We define derived, higher-level operators that are convenient for the specification of access control policies, and enable the decoupling of conflict resolution from policy composition. Finally, we propose a basic query language and show that it can reduce important analyses (e.g., conflict analysis) to checks of policy refinement. Copyright 2007 ACM.
展开▼
