Logic-Based Access Control Policy Specification and Management

Recently there has been a great amount of attention to access control languages that can cover large, open, distributed and heterogeneous environments like the Web. These languages aim to be flexible and extensible, with enough features to capture expressive and distributed security policies. However, with expressive languages such as XACML or WS-Policy, users have problems understanding the overall effects and consequences of their security policies. Even the task of checking that the policy will not result in leakage of permissions to an unintended or unauthorized principal is tedious and error-prone when done manually. As a result, there has been a great amount of research on logic-based policy management that provides analysis services to help find inconsistencies/differences between access control policies. This paper provides an overview of the existing approaches for security (access control) policy analysis. The survey covers both language proposals that have formal semantics and provide algorithms for policy analysis out of the box, and formalizations of already existing policy languages (WS-Policy, XACML, XrML, ODRL) that provide a formal semantics and analysis services previously unavailable for the particular language.