Conflict Detection and Resolution in Access Control Policy Specifications

  • Manuel Koch
  • Luigi V. Mancini
  • Francesco Parisi-Presicce
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2303)


Graph-based specification formalisms for Access Control (AC) policies combine the advantages of an intuitive visual framework with a rigorous semantical foundation. A security policy framework specifies a set of (constructive) rules to build the system states and sets of positive and negative (declarative) constraints to specify wanted and unwanted substates. Models for AC (e.g. role-based, lattice-based or an access control list) have been specified in this framework elsewhere. Here we address the problem of inconsistent policies within this framework. Using formal properties of graph transformations, we can systematically detect inconsistencies between constraints, between rules and between a rule and a constraint and lay the foundation for their resolutions.


Access Control Security Level Graph Transformation Access Control Policy Graph Grammar 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. CELP96.
    A. Corradini, H. Ehrig, M. Löwe, and J. Padberg. The category of typed graph grammars and their adjunction with categories of derivations. In 5th Int. Workshop on Graph Grammars and their Application to Computer Science, number 1073 in LNCS, pages 56–74. Springer, 1996.CrossRefGoogle Scholar
  2. EHK+97.
    H. Ehrig, R. Heckel, M. Kor., M. Löwe, L. Ribeiro, A. Wagner, and A. Corradini. Handbook of Graph Grammars and Computing by Graph Transformations. Vol. I: Foundations, chapter Algebraic Approaches to Graph Transformation Part II: Single Pushout Approach and Comparison with Double Pushout Approach. In Rozenberg [Roz97], 1997.Google Scholar
  3. EKMR99.
    H. Ehrig, H.-J. Kreowski, U. Montanari, and G. Rozenberg, editors. Handbook of Graph Grammars and Computing by Graph Transformations. Vol. III: Concurrency, Parallelism, and Distribution. World Scientific, 1999.Google Scholar
  4. GRPPS00.
    M. Groβe-Rhode, F. Parisi-Presicce, and M. Simeoni. Refinements of Graph Transformation Systems via Rule Expressions. In H. Ehrig, G. Engels, H.-J. Kreowski, and G. Rozenberg, editors, Proc. of TAGT’98, number 1764 in Lect. Notes in Comp. Sci., pages 368–382. Springer, 2000.Google Scholar
  5. HW95.
    R. Heckel and A. Wagner. Ensuring consistency of conditional graph grammars-a constructive approach. In Proc. SEGRAGRA’95 Graph Rewriting and Computation, number 2. Electronic Notes of TCS, 1995.Google Scholar
  6. KMPP00.
    M. Koch, L.V. Mancini, and F. Parisi-Presicce. A Formal Model for Role-Based Access Control using Graph Transformation. In F. Cuppens, Y. Deswarte, D. Gollmann, and M. Waidner, editors, Proc. of the 6th European Symposium on Research in Computer Security (ESORICS 2000), number 1895 in Lect. Notes in Comp. Sci., pages 122–139. Springer, 2000.Google Scholar
  7. KMPP01a.
    M. Koch, L. V. Mancini, and F. Parisi-Presicce. On the Specification and Evolution of Access Control Policies. In S. Osborne, editor, Proc. 6th ACM Symp. on Access Control Models and Technologies, pages 121–130. ACM, May 2001.Google Scholar
  8. KMPP01b.
    M. Koch, L.V. Mancini, and F. Parisi-Presicce. Foundations for a graph-based approach to the Specification of Access Control Policies. In F. Honsell and M. Miculan, editors, Proc. of Foundations of Software Science and Computation Structures (FoSSaCS 2001), number 2030 in Lect. Notes in Comp. Sci., pages 287–302. Springer, 2001.CrossRefGoogle Scholar
  9. Roz97.
    G. Rozenberg, editor. Handbook of Graph Grammars and Computing by Graph Transformations. Vol. I: Foundations. World Scientific, 1997.Google Scholar
  10. San93.
    R. S. Sandhu. Lattice-based access control models. IEEE Computer, 26(11):9–19, 1993.Google Scholar
  11. San98.
    R. S. Sandhu. Role-Based Access Control. In Advances in Computers, volume 46. Academic Press, 1998.Google Scholar
  12. SS94.
    R.S. Sandhu and P. Samarati. Access Control: Principles and Practice. IEEE Communication Magazine, pages 40–48, 1994.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Manuel Koch
    • 1
  • Luigi V. Mancini
    • 2
  • Francesco Parisi-Presicce
    • 2
    • 3
  1. 1.Freie Universität BerlinBerlin(DE)
  2. 2.Univ. di Roma La SapienzaRome(IT)
  3. 3.George Mason UniversityFairfax(USA)

Personalised recommendations