Moritz Y. Becker and Sebastian Nanz
Declarative authorization languages promise to simplify the administration of access control systems by allowing the authorizationfl
policy to be factored out of the implementation of the resource guard. However, writing a correct policy is an error-prone task by itself, and little attention has been given to tools and techniques facilitating thefl
analysis of complex policies, especially in the context of access denials. We propose the use of abduction for policy analysis, for explaining access denials and for automated delegation. We show how a deductive policy evaluation algorithm can be conservatively extended to perform abduction on Datalog-based authorization policies, and present soundness, completeness and termination results.
In 10th International Symposium on Practical Aspects of Declarative Languages (PADL)