Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
The Role of Abduction in Declarative Authorization Policies

Moritz Y. Becker and Sebastian Nanz

Abstract

Declarative authorization languages promise to simplify the administration of access control systems by allowing the authorization policy to be factored out of the implementation of the resource guard. However, writing a correct policy is an error-prone task by itself, and little attention has been given to tools and techniques facilitating the analysis of complex policies, especially in the context of access denials. We propose the use of abduction for policy analysis, for explaining access denials and for automated delegation. We show how a deductive policy evaluation algorithm can be conservatively extended to perform abduction on Datalog-based authorization policies, and present soundness, completeness and termination results.

Details

Publication typeTechReport
NumberMSR-TR-2007-105
Pages23
InstitutionMicrosoft Research
> Publications > The Role of Abduction in Declarative Authorization Policies