The Role of Abduction in Declarative Authorization Policies

  • Moritz Y. Becker
  • Sebastian Nanz
Conference paper

DOI: 10.1007/978-3-540-77442-6_7

Volume 4902 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Becker M.Y., Nanz S. (2007) The Role of Abduction in Declarative Authorization Policies. In: Hudak P., Warren D.S. (eds) Practical Aspects of Declarative Languages. PADL 2008. Lecture Notes in Computer Science, vol 4902. Springer, Berlin, Heidelberg

Abstract

Declarative authorization languages promise to simplify the administration of access control systems by allowing the authorization policy to be factored out of the implementation of the resource guard. However, writing a correct policy is an error-prone task by itself, and little attention has been given to tools and techniques facilitating the analysis of complex policies, especially in the context of access denials. We propose the use of abduction for policy analysis, for explaining access denials and for automated delegation. We show how a deductive policy evaluation algorithm can be conservatively extended to perform abduction on Datalog-based authorization policies, and present soundness, completeness and termination results.

Keywords

access control abduction authorization language Datalog 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Moritz Y. Becker
    • 1
  • Sebastian Nanz
    • 2
  1. 1.Microsoft Research, Cambridge, CB3 0FBUK
  2. 2.Informatics and Mathematical ModellingTechnical University of DenmarkDenmark