Conflict Detection and Resolution in Access Control Policy Specifications

Manuel Koch, Luigi V. Mancini, Francesco Parisi-Presicce

To appear at Foundations of Software Science and Computation Structures (FOSSACS02), Grenoble, France, 6-14 April, 2002


Graph-based specification formalisms for Access Control (AC) policies combine the advantages of an intuitive visual framework and of a rigorous semantical foundation. A security policy framework specifies a set of (constructive) rules to build the system states and sets of positive and negative (declarative) constraints to specify wanted and unwanted substates. Models for AC (e.g. role-based, lattice-based or discretionary) have been specified in this framework elsewhere and the problem of evolution and integration of policies has been tackled. Here we address the problem of inconsistent policies within this framework. Using formal properties of graph transformations, we can systematically detect inconsistencies between two (declarative) constraints, between two (operational) rules and between a rule and a constraint and lay the foundation for their resolutions.

Server START Conference Manager
Update Time 14 Dec 2001 at 14:02:38
Start Conference Manager
Conference Systems