A Logic for State Transformations in Authorization Policies

Yun Bai and Vijay VaradharajanDistributed System and Network Security Research UnitDept. of Computing, University of W. Sydney, Australia�

ybai,vijay � @st.nepean.uws.edu.au

Abstract

In a multi-user, information-sharing system, authoriza-tion policy provides the ability to limit and control accessto system, applications and information. In the real world,an authorization policy has temporal properties. That is, itneeds to be updated to capture the changing requirementsof applications, systems and users. These updates are im-plemented via transformation of authorization policies. Inthis paper, we propose a logic based approach to specifyand to reason about state transformations in authorizationpolicies. The authorization policy is specified using a pol-icy base which comprises a finite set of facts and accessconstraints. We define the structure of the policy transfor-mation and employ a model-based semantics to perform thetransformation under the principle of minimal change. Fur-thermore, we extend model-based semantics by introduc-ing preference ordering to resolve possible conflicts duringtransformation of policies. We also discuss the implementa-tion of the model based transformation approach and out-line the relevant algorithms.

1. Introduction

In a multi-user, information-sharing system, authoriza-tion policy provides the ability to limit and control access tosystem, applications and information, and to limit what en-tities can do with the information and the resources. In thereal world, authorization policy has a temporal property, itneeds to capture the changing requirements of applications,systems and users. This implies that situations can arisewhere some subjects (users or processes) can gain some ac-cess rights for some objects and at the same time can losesome access rights for the same or different objects. Rep-resentation, evaluation and analysis of such changes forman important part of the design of authorization policies.These changes are implemented via state transformation ofauthorization policies. In general such transformations canbe nonmonotonic in that some users or subjects may lose

certain rights. In this paper, we will discuss the design ofauthorization policies, their transformation, the mechanismfor reasoning about nonmonotonic properties and their im-plementation.

In our system, authorization policy is specified by a pol-icy base which is a finite set of facts and access constraints.The facts represent explicitly the access rights the subjectshold for the object. They are a Herbrand interpretation [11]of the language of our system. The access constraints, onthe other hand, are rules which the authorization policyshould satisfy. They are a set of closed first order formu-las of the language.

We first define the structure of the policy transforma-tion. The structure describes the preconditions that needto be satisfied before the transformation can be executedand the postconditions that become valid after the transfor-mation. We employ a model-based semantics [11] in thecomputation of the transformation; with the model basedapproach, the transformation of a policy base is based onthe Herbrand interpretation present in the policy base. Theprinciple of minimal change [11] is used to guarantee thatthe change of the policy base after the transformation is asminimal as possible. We also introduce preference orderingin the model-based semantics to resolve possible conflicts.We discuss the implementation aspects of our system andanalyze the complexity of the algorithms introduced.

Let us first briefly mention relevant related work in thisarea. The work by Woo and Lam [12] used a logic ap-proach to represent and evaluate authorization policies; ourwork concentrates on the issue of representing and perform-ing nonmonotonic transformation of authorization policies.The work by Sandhu and Suri addressed the issue of trans-formation of access rights [9, 10]. Their work was basedon the access matrix, in which no constraint is presentedexplicitly. They used a procedure-based approach to repre-sent the transformation. Our work uses a logic based ap-proach and develops a model based semantics to formalizethe transformation. This, as will be shown in this paper, ismore powerful and feasible for implementation.

To the best of our knowledge, the work presented in this

paper is the first one which uses a model-based semantics toformalize logic based transformation of authorization. Webelieve that our system provides a unified framework whichcan be used to model other methods. In fact, in the full ver-sion of this manuscript [1], we have shown that the schemeby Sandhu et al can be subsumed by our system.

The paper is organized as follows. Section 2 introducesthe formal definition of the policy base and its use in thespecification of authorization policies. Section 3 definesthe transformation description, discusses the computationof the transformation and its nonmonotonic property. Sec-tion 4 extends the model-based semantics by introducing apreference ordering mechanism to resolve conflicts in trans-formations. Section 5 discusses the implementation issues.Finally, section 6 concludes the paper with some remarks.

2 A Formal Representation of Policy Base

In this section, we introduce a formal model for repre-senting policy base based on a first order language. We giveboth syntactic and semantic descriptions of our policy basemodel.

2.1 The Language

Let�

be a sorted first order language with equality, withfour disjoint sorts for subject, group-subject, access-right,and object respectively. Assume

�has the following vo-

cabulary:

1. Sort subject: with subject constants ��������������� ��� , andsubject variables ���������� �� ����� .

2. Sort group-subject: with group subject constants� � � ��� � ��� ��� � , and group subject variables ������������� .3. Sort access-right: with access right constants� � � � � � ��� ��� � , and access right variables ������� ����������� � .4. Sort object: with object constants ����������� ����� ��� , and

object variables !���!�� ��!���� ����� .5. A ternary predicate symbol � - "#!�$&%�� which takes argu-

ments as subject, access-right and object respectively.

6. A ternary predicate symbol � - "#!�$&%�� which takes ar-guments as group-subject, access-right and object re-spectively.

7. A binary predicate symbol ' which takes arguments assubject and group-subject.

8. A binary predicate symbol ( whose both argumentsare group-subjects.

9. Logical connectives and punctuations: as usual, in-cluding equality.

For instance, a fact that a subject � has access right)for object � is represented using a ground atom � -

"#!�$*%��+&��� ) ���-, . The group membership is represented asfollows: for example, “a subject � is a member of

�” is

represented using the formula �.' � . We can also rep-resent inclusion relationships between subject groups suchas� �/( � � . Furthermore, we can represent constraints

among subjects’ authorizations. For example, the rule stat-ing that for any subject and object, if the subject is the ownerof this object, then the subject should have read and writerights for that object. This constraint can be represented asfollows:

0 ��!�12� - "#!�$&%��+&����-354���!�,76� - "�!�$&%��8+*�8� ) 9 ��%���!�,:;� - "�!�$&%��+&���<>=�?A@ 9 ��!�, .

On the other hand, suppose we have a constraint stating thatfor any subject � and group subject � , if � is a member of� , then � should have all the access rights that � has. Thisis the so-called inheritance property of authorizations. Thisconstraint can be captured using the following formula:

0 �B�C��!�12� ';�D:E� - "#!�$*%��+F�������!�,G6� - "�!�$&%��8+*�8������!�,H1

The following example shows how the traditional accessmatrix can be represented by a set of ground atoms.

Example 1 Consider the access matrix in Figure 1, where

S1

S2

O1 O2 O3

R, W E, W

E, W R

Figure 1. An access matrix.

) ��<I��J represent the rights of) 9 ��%���<>=�?A@ 9 and JLK 9 M�N @ 9

respectively. This access matrix can be represented in ourformalism as the following set of atoms.

O � - "�!�$&%��+&� � � ) 9 ��%���� � ,��� - "�!�$&%��8+*� � ��<>=�?A@ 9 ��� � ,��� - "�!�$&%��8+*� � ��<>=�?A@ 9 ��� � ,��� - "�!�$&%��8+*� � ��J-K 9�M�N @ 9 ��� � ,H�� - "�!�$&%��8+*�����<>=�?A@ 9 ��� ��,��� - "�!�$&%��8+*�����J-K 9�M�N @ 9 ��� ��,H�� - "�!�$&%��8+*���� ) 9 ��%#���QP�,�R�1

2.2 The Policy Base

Let us now consider a formal definition of the policy baseusing the language

�. First we need to introduce some ad-

ditional concepts that are relevant to this discussion.Given the language

�and a problem domain, we assume

that the objects of the domain are fixed, and each constant oflanguage

�is mapped onto a specific object of the domain

(different constants correspond to different objects). As weonly consider finite domains,

�will only contain a finite

number of constants. Following the above assumption, inthis paper we will not explicitly consider the creation anddeletion of objects in the domain. We will show later howthis issue is handled implicitly by inserting and deleting ac-cess right transformations.

The Herbrand base [4] of�

is the set of all possi-ble ground atoms of

�. A Herbrand interpretation of

�is a subset of the Herbrand base of

�. Given a closed

first order formula�

of�

and a Herbrand interpretation�of�

, we say that�

is satisfied in�

, denoted as� � ���, if

�is true under the truth-value assignment

defined by�

. In this situation, we also say that�

isa Herbrand model of

�. For example, let

� � O � '� ��� - "#!�$*%��+ � ��<>=�?A@ 9 ���L,H��� - "�!�$&%��8+*����<>=�?A@ 9 ���L,BR and�

be0 ��� ��!�12�-';�D: � - "�!�$&%��8+A��������!�,76 � - "�!�$&%��8+*�8������!�, , then

we have������

. If � is a set of closed first order formulasof�

, we say that � is satisfied in a Herbrand interpreta-tion

�of�

, denoted as� � � � , if each formula in � is

satisfied in�

.The formal definition of our policy base is now given as

follows:

Definition 1 A policy base � is a pair +��L� � , where �is a finite set of closed first order formulas of

�and

�is

a Herbrand model of C.�

is also called a state of policybase � .

Intuitively, in a policy base � � +��L� � , , � representsthe policy constraints about the domain of the system and�

represents the agent’s knowledge of access rights. Forany ground atom

�in�

, we also use notation � � ���.

Note that�

only contains positive facts (ground atoms).Any fact not in

�will be treated as negation of the

fact. Therefore, if we have a policy base � �+ O R�� O � - "�!�$&%��+&��� )D9 ��%����L,BR , , and the domain further con-tains other objects �� and �� , then � actually also im-plies � � - "#!�$*%��+&�� � )D9 ��%����� , , � � - "#!�$&%��+&��� ) 9 ��%����� , , and� � - "#!�$*%��+&�� � ) 9 ��%����L, . Therefore, we will use notationsuch as � � � � � - "�!�$&%��8+*�� � ) 9 ��%����� , .Example 2 Consider the following information and rulesof access requirements from a mental health hospital [13].

1. Al is a patient.

2. Ed is a primary physician and he may read patients’records.

3. Jane is a primary physician.

4. Patients may not read their records.

5. The consulting physician may neither modify nor copypatients’ records.

6. The primary physician may modify or copy patients’records.

Let �7����7���� be group constants that represent grouppatient, group consulting-physician and group primary-physician respectively. � - = 9�M !�=�%�� represents the patients’records object. The above information and rules can be rep-resented as follows:

� $�'�� (1)

JL% '���7��� - "�!�$&%��8+*JL%�� ) 9 ��%#��� -= 9�M !�=�%�� , (2)

� ��4 9 '��� (3)

0 �1 � '�� 6�� � - "#!�$*%��+&�� )D9 ��%���� - = 9 M !�=�%���,�1 (4)

0 �12� '��� 6�� � - "�!�$&%��8+*�8��������� "!���� - = 9 M !�=�%���, :� � - "�!�$&%��+&����L!�#%$ ��� - = 9 M !�=�%���,�1

(5)

0 �1 � '&�'� 6 � - "�!�$&%��+&������(�)� "!���� - = 9�M !�=�%�� ,�*� - "#!�$*%��+&����L!�#+$���� - = 9�M !�=�%�� ,H1

(6)

In our system, this can be specified as � �+ O +-,�,H� +�.8,H� +�/8,�R�� O +10�, , +�2,���+�38,BR , , where

O +-,�,���+�.,���+�/8,BR isthe set of constraints and

O +10 , , +�28,���+�3,�R is the set of facts.

Here are some important features of our policy base de-fined above.

1. Access constraints of the domain are explicitly repre-sented in a policy base. Intuitively, these constraintscharacterize the basic access control properties thatshould be satisfied by any specific access rights in-stance of the system at any time. Hence, for a givensystem, at different points in time, the policy bases dif-fer only due to a difference in the set of facts. For ex-ample, if �' � � +�� � � � � , and � � � +�� � � � � , arethe policy bases of a system at time @ � and @ � respec-tively, then the condition � � � � � should hold.

2. In this paper, denials of access rights are representedimplicitly by their absence in the policy base. Sincethe agent usually only records the positive access rightsfacts in the system, anything s/he does not record is as-sumed to be denied by default. This is the so calledclosed world assumption. This helps us to give a com-plete semantics about the agent’s knowledge of accessrights in the system � . In fact, most real systems em-ploy default properties in one way or another, e.g. re-strictive or permissive access policies.

3 Policy Base Transformations

3.1 Definition of Transformation

Transformations change the state of the policy base.For a policy base �' � +��L� � , , we view

�as a set

of changeable facts while � as a set of 4!�4 -M "#��4�� 9 � � $ 9

formulas. Therefore during transformation, � always re-mains unchanged. We consider two basic types of trans-formations that can be performed on the policy base: ad-dition of a new access right to the current policy baseand deletion of a current access right from the policybase. Another type of transformation updating or mod-ification can be represented by these two basic types oftransformations. For instance, the effect of updating � -"#!�$&%��+&� ��� ) 9 ��%#���L, to � - "�!�$&%��8+*���� )D9 ��%����L, can be seento be equivalent to deleting � - "#!�$*%��+&���8� ) 9 ��%����L, and thenadding � - "�!�$&%��+&� ��� ) 9 ��%����L, in the policy base.

Definition 2 A transformation description @�=���4� �L= 9 +A@�=���4, � �L!��B@ +F@�=���4,�� , where�L= 9 +F@�=���4, � O " � ����� ����"��-R ,�L!��B@ +F@�=���4, � O $ � ��� ����� $���R , and

"���� $ ( 0�� ? ��� , 0������ 4 ) are ground literals of�

.

Intuitively, �-= 9 +A@�=���4, represents the precondition of@�=���4 in which every ground literal must be satisfied inthe current policy base before @�=���4 is performed, while�L!���@ +A@�=���4, represents the postcondition of @�=���4 in whichevery ground literal must be satisfied in the new policy baseafter @�=���4 is performed. For instance, let � � +��L� � ,be a policy base and @�=���4 � � O � - "�!�$&%��+&��� )D9 ��%����L,BR � O � � -"#!�$&%��+&��� ) 9 ��%����-,�R�� be a transformation description. Theintuitive meaning of performing @�=���4 on � is that if� � � � - "#!�$*%��+&��� ) 9 ��%����L, then after performing @�=���4 ,in the resulting policy base � , the condition �� � � � � -"#!�$&%��+&��� ) 9 ��%����-, should hold. If �L= 9 +A@�=���4, is an emptyset, then this means that there is no precondition for @�=���4�There are some limitations of the closed world assumption in reason-

ing about disjunctive information. This aspect is beyond the scope of thispaper.

to execute (i.e. @�=���4 can always be executed). A transfor-mation @�=���4 is executable on a policy base �' if for everyground literal " in �L= 9 +A@�=���4, , � � � " � . We also denote� � � �L= 9 +F@�=���4, (or � � � �L!��B@ +F@�=���4, ) if �' � � " foreach " in �L= 9 +F@�=���4, (or �' � � $ for each $ in �L!��B@ +F@�=���4, ).

Now we are ready to describe the transformation proce-dure formally. Let � � +��L� � , . The performance ofa transformation @�=���4 on the policy base � is achievedbased on the result of the transformation @�=���4 on the state�

of � under the principle of minimal change. Infor-mally, the minimal change principle states that during astate transformation, the difference between the initial stateand the resulting state should be as minimal as possible un-der the restriction of policy constraints.

Let� � and

� � be two Herbrand interpretations of lan-guage

�. Diff + � ��� � ��, denotes the set of ground atoms

such that any ground atom in Diff + � � � � ��, only occurs inone of

� � and� � .

For instance,let

� � � O � - "�!�$&%��8+*��� ) 9 ��%#���L,H��� - "�!�$&%��8+*��� ) 9 ��%����� F,�Rand

� � � O � - "#!�$*%��+&��� ) 9 ��%����L,�R . Then Diff + � � � � � , �O � - "�!�$&%��8+*��� ) 9 ��%#���� F,�R .

Definition 3 Let � � +��L� � , be a policy base, @�=���4 atransformation description that is executable on � (i.e.� � � �-= 9 +A@�=���4, ). A Herbrand interpretation

� of�

iscalled a possible resulting state after performing transfor-mation @�=���4 on

�if and only if

� satisfies the followingconditions:

1.� � � � and

� � � $ for every ground literal $ in�L!��B@ +F@�=���4, .

2. There does not exist other Herbrand interpretation� of�

such that� satisfies Condition 1 and

Diff + � � � ,�� Diff + � � � , .A possible resulting policy base �' after performingtransformation @�=���4 on � is then defined as �' �+��-� � , .

Let us examine the above definition more closely. Inorder to perform the transformation on a policy base �' ,we need to compute the transformation on the state of � .Condition 1 states that the resulting state

� should satisfythe constraint(s) and the postcondition of @�=���4 , while con-dition 2 forces the change from

�to� to be as minimal

as possible. Note that according to the above definition, theresulting policy base after performing a transformation maynot be unique. Let us now consider a few examples.

�Recall that � ��� ��� if �� �! and �"����$#%� if �'& (! .

3.2 Examples

We now give some examples to illustrate how transfor-mations are performed using the model-based approach de-scribed above.

Example 3 Consider a policy base � � +��L� � , , where� � O � � ' � ��� - "�!�$&%��8+*� � �H<>=�?F@ 9 ���-,��

� - "#!�$*%��+&� � � ) 9 ��%����L,��� - "#!�$&%��+ � � ) 9 ��%����L,�R�� and

� � O 0 �812� ' � :E� - "�!�$&%��+ � � ) 9 ��%����-, 6� - "#!�$*%��+&�� )D9 ��%����L,BR .

where the constraint � says that if group�

has the Readright for object � , then every member of

�also has Read

right for � . Now consider a transformation “if ��� is a mem-ber of group

�, then delete ��� ’s Read right for object �

from � ”. In our system, this transformation can be for-mally described as follows:

@�=���4 � � �-= 9 +A@�=���4, � �-!���@ +A@�=���4, � , where�L= 9 +F@�=���4, � O � �L' � ��� - "�!�$&%��8+*� � � ) 9 ��%����-,�R ,and�L!��B@ +F@�=���4, � O � � - "#!�$*%��+&� � � ) 9 ��%����-,�R .

Clearly, � � � �L= 9 +F@�=���4, . So @�=���4 is executable on � .According to Definition 3, we have

� � � O � � ' � ��� - "#!�$&%��+&� � �H<>=�?F@ 9 ���-,�R .� � � O � - "#!�$*%��+&� �8��<>=�?A@ 9 ���L,H�

� - "#!�$&%��+ � � ) 9 ��%����L,�R .So, we get two possible resulting policy bases:

� � +��-� � � , and � � +��L� � � , where� � � O � � ' � ��� - "#!�$&%��+&� � �H<>=�?F@ 9 ���-,�R .� � � O � - "#!�$*%��+&� � ��<>=�?A@ 9 ���L,H�� - "#!�$&%��+ � � ) 9 ��%����L,�R .

Example 4 Let � be the same as the previous example.Now consider the transformation “if ��� is a member ofgroup

�, then change � � ’s Write right for object � to Exe-

cute right”. We can specify this transformation as follows:

@�=���4 � � �-= 9 +A@�=���4, � �-!���@ +A@�=���4, � , where�L= 9 +F@�=���4, � O � �7' � �

� - "#!�$*%��+&� �8��<>=�?A@ 9 ���L,BR ,�L!��B@ +F@�=���4, � O � � - "#!�$*%��+&� � �H<>=�?F@ 9 ���L,��

� - "#!�$*%��+&� �8��JLK 9�M�N @ 9 ���L,�R�1Clearly, � � � �L= 9 +F@�=���4, . So transformation @�=���4 is ex-ecutable on � . It should be noted that since the termJLK 9�M�N @ 9 occurs in the postcondition of @�=���4 (i.e. � -"#!�$&%��+&� � ��J-K 9�M�N @ 9 ���L, ), it should also appear in the Her-brand base of our language

�used in this example.

Using Definition 3, we have the following result:

� � O � �7' � ��� - "#!�$&%��+&� ����JLK 9�M�N @ 9 ���L, ,� - "�!�$&%��8+*� � � ) 9 ��%#���L,H�� - "#!�$*%��+ � � ) 9 ��%����L,�R�1

So, the final policy base is

�� � +��L� � , , where� � O � � ' � ��� - "#!�$&%��+&� � ��JLK 9�M�N @ 9 ���L,H�� - "�!�$&%��8+*� � � ) 9 ��%#���L,H�� - "#!�$*%��+ � � ) 9 ��%����L,�R�1

4 Conflict Resolution

4.1 The Problem

As the policy constraints are explicitly taken into accountin our policy base, the transformations can be nonmonotonicin the sense that the addition of new access right(s) in thecurrent policy base may also lead to a loss of some other ac-cess right(s). For instance, consider the following example.

Example 5 Let � � +��L� � , be a policy base, where

� � O � - "�!�$&%��+&� � � ) 9 ��%���� � ,��� - "�!�$&%��8+*� � � ) 9 ��%#��� � ,�R , and

� � O 0 ��!�1 � - "�!�$&%��+&� � ������!�,G6� � - "�!�$&%��8+*��������!�,�R .

Suppose we want to add the fact � - "#!�$&%��+&���8� ) 9 ��%���� ��,into � . Consider the constraint, � - "�!�$&%��+&���8� ) 9 ��%���� ��,implies � � - "�!�$&%��8+*� ��� ) 9 ��%���� ��, . To maintain the con-sistency of � , we need to either keep the policybase unchanged or remove � - "�!�$&%��+&� � � ) 9 ��%���� � , andget a new � where

� � O � - "�!�$&%��8+*� � � ) 9 ��%#��� � ,H��� -"#!�$*%��+&� � � )D9 ��%���� � ,�R .

¿From the above example we can see that by introducingpolicy constraints in our policy base, a transformation maycause some indirect changes to the policy base. However, insome situations, these indirect changes may lead to conflictswhich need to be resolved. The approach described so fardoes not provide a resolution for conflicts. Let us considerthe following example,

Example 6 Let � � +��L� � , be a policy base, where

� � O � ' � R�� and� � O 0 ��� !�12� ' � :E� - "#!�$&%��+F�� ) 9 ��%���!�,G6

� - "�!�$&%��8+*�8� ) 9 ��%���!�,BR .Now consider the addition of � - "�!�$&%��8+ � � )D9 ��%�� ����� JL,

to the policy base. According to Definition 3, there are twopossible resulting states after performing such a transforma-tion on

�.

� � � O � ' � ��� - "#!�$&%��+ � � ) 9 ��%�� ��� � J-,��� - "#!�$*%��+&��� ) 9 ��%�� ��� � J-,�R�1� � � O � - "#!�$&%��+ � � ) 9 ��%�� ��� � J-,�R�1

Let us examine the two possible resulting states� � and� � more closely. In this situation, since our policy

constraint is equivalent to � - "�!�$&%��8+ � � ) 9 ��%#� ����� JL, 6� �' � * � - "#!�$&%��+&��� ) 9 ��%�� � � � JL, , both

� � and� �

represent the minimal changes from�

with respect tothis particular transformation.

� � is obtained if thepredicate � - "�!�$&%�� takes precedence over the predicate ' .This seems reasonable because after the addition of � -"#!�$&%��+ � � ) 9 ��%�� ��� � J-, into the policy base, � obtains aread right for

����� J because of the inheritance property.On the other hand,

� � is obtained if the predicate ' takesprecedence over the predicate � - "#!�$*%�� . We have no reasonto say that

� � is not reasonable according to our approachdescribed in section 3.1. To resolve such issues, we need tospecify preference ordering mechanisms on these predicateswhich reflect the security policies of the organizations.

4.2 An Approach

Several approaches to conflict resolution have been pro-posed. Strong and weak authorizations have been proposedin the Orion authorization model [2]. The basic idea be-hind this approach is that strong authorizations cannot beoverridden, while weak authorizations can be overriddenby strong or other weak authorizations, according to spec-ified rules. Lunt [5] discussed the most-specific rule anddenials take precedence approaches. Most-specific rule re-quires that if an individual subject is specifically grantedor denied authorization for an object, this takes precedenceover any other authorizations for the object that are grantedor denied to groups to which the subject belongs. With de-nials take precedence approach, a subject or group’s denialof authorization for an object takes precedence over any au-thorizations that the subject or group may have been grantedfor the object. We will use the approach of weak and strongauthorization together with a preference ordering mecha-nism to resolve conflicts. We assign the newly added autho-rization(s) to be strong and the previously existing autho-rization(s) to be weak. Therefor, in our transformation, thenewly added authorization(s) always override the existingauthorization(s).

As described in section 2.1, there are four predicates ' ,( , � - "�!�$&%�� and � - "�!�$&%�� in our language

�. We introduce

the following preference ordering among the predicates in�. We assign � - "#!�$*%�� to have a higher precedence than '

and ( , ' and ( to have a higher precedence than � - "�!�$&%�� .Formally, a strict partial ordering � (i.e. antireflexive, anti-symmetric and transitive) among predicates ' , ( , � - "�!�$&%��and � - "#!�$&%�� is defined as � - "#!�$*%���� '�� � - "#!�$*%�� and � -"#!�$&%����D(�� � - "#!�$&%�� . We can now extend our model-based

transformation given in Definition 3 as follows. First weneed to introduce some additional notations. Let

� � � be two Herbrand interpretations of

�.� � � - "�!�$&%�� � , � � � -

"#!�$*%�� � , � � ' � and� � (�� denote the set of all interpretations

of predicates � - "�!�$&%�� , � - "#!�$*%�� , ' and ( in�

respectively.For example, if a Herbrand interpretation is

� � O � - "�!�$&%��+&� � � � � ��� � ,��� - "�!�$&%��8+*���� � �����D�H,��� - "#!�$*%��+ � � � � P���QP ,H�� �5' � � , ��Q' � ��� � �G( � � R ,

then we have

� � � - "#!�$&%�� � � O � - "�!�$&%��8+ � � � � P ��� P ,�R ,� � � - "#!�$*%�� � � O � - "�!�$&%��+&� � � � � ��� � ,��� - "�!�$&%��8+*� � � � � ��� � ,�R ,� � ' � � O � �7' � � ����Q' � ��R , and� � (�� � O � �7( � � R .

On the other hand, Diff � - ��� ��� + � � � , ,Diff � -��� ��� + � � � , , Diff �#+ � � � , and Diff � + � � � , de-note the set of different interpretations on predicates � -"#!�$*%�� , � - "�!�$&%�� , ' and ( in

�and

� respectively. Forinstance, if

� � O � - "�!�$&%��8+*� � � � � ��� � , , � � ' � � �� � ( � � R ,then

Diff � - ��� ��� + � � � , � O � - "#!�$&%��+ � � � � P8���QP ,�R ,Diff � -���� ��� + � � � , � O � - "�!�$&%��+&� ��� � � ���-� ,�R ,Diff �#+ � � � , � O � �5' � ��R , andDiff � + � � � , � O R .

The following is the formal definition of the extendedmodel-based transformation based on the preference order-ing � .

Definition 4 Let � � +��L� � , be a policy base, @�=���4 atransformation description that is executable on � (i.e.� � � �L= 9 +F@�=���4, ), and

�a possible state of � . A Her-

brand interpretation� of

�is called a possible resulting

state after transformation @�=���4 on�

based on the prefer-ence ordering � ( called � -transformation @�=���4 on

�), if

and only if� satisfies the following conditions:

1.� � � � and

� � � $ for every ground literal $ in�L!��B@ +F@�=���4, .

2. There does not exist other Herbrand interpretation�

of�

such that

(a)� satisfies Condition 1;

(b) Diff � - ���� ��� + � � � , � Diff � - ���� ��� + � � � , ; or

(c)� � � - "�!�$&%�� � ��� � � - "�!�$&%�� � andDiff � + � � � , � Diff � + � � � , orDiff � + � � � ,�� Diff � + � � � , ; or

(d)� � � - "�!�$&%�� � ��� � � - "�!�$&%�� � and� � ' � � � � ' � and� � (�� � � � (�� andDiff � -���� ��� + � � � , � Diff � - ��� ��� + � � � , .

The following example shows how a transformation isperformed using the extended model-based transformationbased on the preference ordering � .

Example 7 A policy base � � +��L� � , , where� � O � �7' � ���/' � ����Q' � ����� ' � � �

� - "#!�$&%��+ � � ) 9 ��%����L,��� - "#!�$*%��+&��� ) 9 ��%����L,��� - "#!�$*%��+&� �8� ) 9 ��%����L,��� - "#!�$&%��+ � � ��JLK 9 M�N @ 9 ���L,H�� - "#!�$*%��+&����JLK 9 MHN @ 9 ���-,��� - "#!�$*%��+&� � ��JLK 9�M�N @ 9 ���L,�R�� and

� � O 0 ��� ��!�12� ' �L:�� - "�!�$&%��8+A��������!�,G6� - "#!�$*%��+&����#��!�,�R .

Consider the transformation “the members of group G can-not have execute right for O”. That is, the addition of � � -"#!�$&%��+&����JLK 9 M�N @ 9 ���L, and � � - "�!�$&%��8+*� ����JLK 9�M�N @ 9 ���L, to� . Formally, the transformation can be represented asfollows:

@�=���4 � � �-= 9 +A@�=���4, � �-!���@ +A@�=���4, � , where�L= 9 +F@�=���4, � O R , and�L!��B@ +F@�=���4, � O � � - "#!�$*%��+&����JLK 9 MHN @ 9 ���-,��

� � - "�!�$&%��8+*� � ��JLK 9 MHN @ 9 ���-,�R .Since � belongs to both groups

�and

� � and using theabove constraint, S inherits the access rights from bothgroups. That is, � holds

) 9 ��% and JLK 9�M�N @ 9 rights for � .The transformation will change the access rights of � and� � . The result of the transformation is that � and ��� cannothave JLK 9 MHN @ 9 right for � , which conflicts with the accessright � has inherited from group

� � . To resolve this con-flict, we use the preference ordering. ¿From the policy con-straint, we get � � - "�!�$&%��+&����JLK 9�M�N @ 9 ���L,Q6 � �' � ��* � � -"#!�$&%��+ � ����JLK 9�M�N @ 9 ���L, . Since � � - "#!�$&%��+&����JLK 9 M�N @ 9 ���L,must be satisfied in the resulting policy base �' , thisleads to � being removed from

� � ’s membership or � -"#!�$&%��+ � � ��JLK 9�M�N @ 9 ���L, being removed from the policybase. Since we defined the preference ordering to be '�� � -"#!�$&%�� , � ' � � will be removed from the policy base.

Formally from Definition 4, we have� � O � � ' � ��� ' � ��� � ' � � �

� - "#!�$&%��+ � � ) 9 ��%����L,��� - "#!�$&%��+ � � ��JLK 9 M�N @ 9 ���L,H�

� - "�!�$&%��8+*��� ) 9 ��%����L,��� - "�!�$&%��8+*� � � ) 9 ��%#���L,H�� - "�!�$&%��8+*� � ��J-K 9�M�N @ 9 ���L,�R�1

Our transformation is based on the model of � . Fora subject, its access rights, inherited from all of the groupsthat it belongs to, are within the same model(s). When per-forming transformations, the consistency of the model willguarantee the consistency of every related group. So we donot need to check the individual group for maintaining theconsistency of � .

So, the resulting policy base is:

� � +��L� � , where� � O � � ' � ��� ' � ��� � ' � � �� - "#!�$*%��+ � � ) 9 ��%����L,��� - "#!�$*%��+ � � ��JLK 9 MHN @ 9 ���-,��� - "�!�$&%��8+*��� ) 9 ��%����L,��� - "�!�$&%��8+*� � � ) 9 ��%#���L,H�� - "�!�$&%��8+*�����J-K 9�M�N @ 9 ���L,�R�1

5 Implementation Issues

In this section, we discuss the implementation of our ex-tended model-based transformation approach. Our methodis similar to that of Winslett’s update theory [3, 11] in thesense of model-based semantics of change, but differs fromit due to different ontologies.

5.1 The Basic Idea

Let � � +��-� � , be a policy base. A transformation@�=���4 adds a set of literals

� � O $ ��� $A��� 1F1F1F� $ � R to �' . ¿FromDefinition 4, the resulting policy base is �' � +��L� � ,where

� � � � and� � ���

. So� is one of the Her-

brand models of��� � which has minimal difference from�

with respect to the preference ordering � defined in Con-dition 2 of Definition 4. Therefore, we have the following

� � ����� + � �����(������+ ��� �-,�� � ,Our implementation comprises the following stages:

Step 1: Generate the set of models of� � ���

�����������+ � � �L, .Step 2: For each

� '�����������8+ ��� �L, , computeDiff + � � � , . Then

� � ����� + � � � �� � , .Step 1 involves a procedure for model generation. In

step 2, to obtain the resulting model, we need to computeDiff + � � � , for each

� in ���(�����8+ ��� �L, and then find����� + � � � �� �5, .

5.2 The Algorithms

5.2.1 The Model Generator

For a policy base � � +��L� � , , generally the constraintsin � may include universally quantified variables P . Fromthe implementation point of view, we need to ground eachconstraint containing variables in � to all of its proposi-tional instances

�. For instance, in Example 3, � contains

one constraint:0 �1 � ' � :E� - "#!�$*%��+ � � ) 9 ��%����L, 6� - "#!�$*%��+&�� )D9 ��%����L,BR .

During implementation, this constraint needs to be replacedby its ground instance:

� �7' � :E� - "#!�$*%��+ � � ) 9 ��%����L,G6� - "#!�$*%��+&� �8� ) 9 ��%����L, .

Therefore, in the rest of this section, when we refer to apolicy base � � +��L� � , , we assume that � only containsconstraints without variable occurrence.

We need to define some additional concepts that will beused in our algorithms. For a policy base � � +��-� � , , aninconsistency is a set of literals whose conjunction is incon-sistent with � . A minimal inconsistency is an inconsistencywhich has no subset that is also an inconsistency.

Let�

be the set of all ground literals of the languagedefined in section 2.1. To get the set of models of

� � � ,first we need to find out the set

�of minimal inconsistencies

between�

and � . This can be achieved using an inferenceengine. Given

�and � , we can use the resolution proof to

find out all the minimum-length proofs which lead to emptyclauses; the required inconsistencies can then be directlyread off from these proofs.

For instance, let us consider Example 3 and see howone can obtain the set

�of minimal inconsistencies. To

simplify the problem, let � stand for ��� ' �,�

for � -"#!�$&%��+&� ����<>=�?A@ 9 ���L, , M for � - "#!�$&%��+&� �8� ) 9 ��%����L, and %for � - "�!�$&%��8+ � � ) 9 ��%#���L, . Then

� � O � M R and � �O ��: % 6 M R . Furthermore, � : % 6 M

is equivalent to� �* � %* M . Here

� � O ����� ��� � ��� � � M �1� M � %#� � %�R . Theresolution proof of Figure 2 shows the procedures neededto obtain the set

� � O ����%���� M R of minimal inconsistencies.Once the set

�of minimal inconsistencies between

�and

� is obtained, a model� of

� � � can be achieved using amaximal subset of

�which contains

�but does not contain

any minimal inconsistency.For the above example, considering the inconsis-

tencyO ����%���� M R , we get models

O ��� � R andO � ��%�R .

They are:O � � ' � ��� - "#!�$&%��+&� ���H<>=�?F@ 9 ���-,�R and

O � -"#!�$&%��+&� � ��<>=�?A@ 9 ���L,H��� - "�!�$&%��8+ � � )D9 ��%����L,BR .

�Technically, an existential quantifier in a formula can be eliminated by

introducing Skolem function [4].�This technique is often used in the implementation of first order dy-

namic systems, eg.[11].

~a v ~d v c a

~d v c d

c ~c

Figure 2. Resolution Proof.

The algorithm of model generator for� � � is as fol-

lows:

Algorithm 1.Input: A finite set

�of ground literals, a finite set � of

ground formulas and a finite set�

of groundliterals over

� � � .Output: A finite set of models of

��� � .

1. Use resolution proof to find the set�

of minimalinconsistencies between

�and � .

2. Find the maximal subset of�

which contains�

but does not contain any inconsistency of�

.

3. From the set of all such maximal subsets of�

formthe set of models of

��� � , i.e., ���(�����8+ � � �L, .In the above algorithm, we achieve step 1 using a theo-

rem prover � . In fact, step 1 can be pre-computed as a sepa-rate procedure for finding the set of minimal inconsistenciesbetween

�and � .

5.2.2 Resulting Model Finder

Given model M and the set of models of� � � , the resulting

model finder obtains a corresponding� '&���(������+ � � �L,

for�

under the measure of minimal change from�

to� .

The model obtained is the resulting model. The algorithmis as follows:

Algorithm 2.Input: A finite set of model

�and a finite sets of models:

�����������+ ��� �L, .Output: A resulting model.

�Refer to [8] for detailed information on the theorem prover.

1. For every� ' ���(�����8+ � � �L, , compute

Diff � - ��� � � + � � � , , Diff � + � � � , , Diff � + � � � F,and Diff � -��� ��� + � � � A, .

2. Find the� which has smallest set of

� � �/+ � � � , ,this

� is closest to�

under the condition 2 of Defi-nition 4.

3. The� obtained is the resulting model.

6 Related Work and Discussion

In this paper, we have developed a logic based approachto formalize authorization policies and to describe non-monotonic transformation procedures. Constraints havebeen used to represent the basic properties of authoriza-tions in a system. A model based semantics has been em-ployed to formalize the transformations. We have shownthat our model allows the transformation of both explicitand implicit authorizations. Furthermore by introducingpreference ordering on predicates of the language, we haveextended our model-based semantics to resolve conflictsduring transformation of authorizations. We have alsodiscussed the implementation aspects of our model. Atpresent, we are implementing the approach described in thispaper.

The property of nonmonotonic transformation of autho-rization policies was also addressed by Sandhu and Suri [9].However, as we mentioned earlier, their method is proce-dure based; we have shown in our full version technicalreport that their system is a special case within our frame-work. It corresponds to the case where the set of constraintsis empty.

Let us now return to Woo and Lam’s previous work[12] on a logic based specification of policy bases. Wooand Lam use Reiter’s default logic [7], where a pol-icy base is represented by a default theory. Hence thebasic unit of access right in their formalism is a ruleof the form � ���+ � � . For instance, a rule such as)D9 ��%�+&�����L��, � ) 9 ��%�+*����� ��, � ) 9 ��%#+*�����QP , has the follow-ing intuitive meaning: if subject � can read object � � andit is consistent to assume that � can also read �L� , then theagent will conclude that � can read � P . Therefore, a fact� - "#!�$&%��+&��� ) 9 ��%����-, in our formalism becomes a specialcase of the rule of the form � � � � - "�!�$&%��8+*��� ) 9 ��%����L, . SoWoo and Lam’s policy base has more expressiveness in rep-resenting the system’s access rights. However, there aresome unignorable limitations in their formulation. First,they do not consider the constraints in the access controlof a system. Hence it is not clear how to judge whether apolicy base is legal or illegal with respect to the system re-strictions. Second, using default theory to represent policybase also inherits the critical semantics problem of defaultlogic. That is, given a policy base, it may have more than

one extension, and even worse, it may not have any exten-sion at all. Finally, since not much work has been doneon the issue of update on default theory, we believe that itwould be difficult to consider the authorization transforma-tion based on Woo and Lam’s specification. In comparison,our logic based approach for authorization transformationhas the following major advantages: (i) our policy base hasa clear and complete semantics; (ii) model-based transfor-mation is easy to understand while at the same time beingpowerful, for instance, the nonmonotonic property of autho-rization transformation can be captured in our framework;(iii) our approach is feasible for implementation.

However there are several areas where further researchwork is required; we are addressing the following at present.In this paper, we only considered the fact-based authoriza-tion transformation in which the constraints on the accessrights of the system remained fixed. We are currently ex-tending this approach to include updating the constraintson the access rights of the system; we refer to this as therule-based authorization transformation. That is, from apolicy base � � � +�� � � � � , , after a rule-based authoriza-tion transformation, we obtain a new policy base � � �+�� � � � � , , where � � may differ from � � . We are also in-vestigating a way of proposing a minimal change principleto capture this kind of transformation.

References

[1] Yun Bai, Vijay Varadharajan, A Logic Based Ap-proach for Transformation of Authorization Policies.Manuscript, September, 1996.

[2] F.Rabitti et al, A Model of Authorization for Next Gen-eration Database Systems”, ACM Trans on DatabaseSystems, 1, March 1991.

[3] T.S-C. Chou, M. Winslett, Immortal: a Model-basedBelief Revision System, The 2nd International Confer-ence on Principles of Knowledge Representation andReasoning, Morgan Kaufman Publishers Inc. pp 99–110, 1991.

[4] S.K. Das, Deductive Databases and Logic Program-ming, Addison-Wesley Publishing Company, UK, 1992

[5] T.F. Lunt, Discretionary Security for Object-OrientedDatabase Systems, Technical Report 7543, ComputerScience Laboratory, SRI International, 1990.

[6] W.W. McCune, Automated Discovery of New Axiom-atizations of the Left Group and Right Group Calculi,Journal of Automated Reasoning. 09(1): pp 1–24, 1992

[7] R. Reiter, A logic for default reasoning, Artificial Intel-ligence, 13(1-2): 81-132, 1980.

[8] S. Russell and P. Norrig, Artificial Intelligence - A Mod-ern Approach. Prentice Hall, 1995..

[9] R.S. Sandhu and S. Ganta, On the Expressive Powerof the Unary Transformation Model, Third EuropeanSymposium on Research in Computer Security, pp 301–318, 1994.

[10] R.S. Sandhu and G.S. Suri, Non-monotonic transfor-mation of access rights, Proceedings of IEEE Sympo-sium on Research in Security and Privacy, pp 148–161,1992.

[11] M. Winslett, Updating Logical Databases. CambridgeUniversity Press, New York, 1990.

[12] T.Y.C. Woo and S.S. Lam, Authorization in distributedsystems: A formal approach, Proceedings of IEEESymposium on Research in Security and Privacy, pp33–50, 1992.

[13] V. Varadharajan and C. Calvelli, An access controlmodel and its use in representing mental health appli-cation access policy, IEEE Trans. Knowledge And DataEngineering, vol.8, no.1, pp 81–95, 1996.