The Role of Abduction in Declarative Authorization Policies

Declarative authorization languages promise to simplify the administration of access control systems by allowing the authorizationfl

policy to be factored out of the implementation of the resource guard. However, writing a correct policy is an error-prone task by itself, and little attention has been given to tools and techniques facilitating thefl

analysis of complex policies, especially in the context of access denials. We propose the use of abduction for policy analysis, for explaining access denials and for automated delegation. We show how a deductive policy evaluation algorithm can be conservatively extended to perform abduction on Datalog-based authorization policies, and present soundness, completeness and termination results.

becker-nanz_padl08.pdf
PDF file

In  10th International Symposium on Practical Aspects of Declarative Languages (PADL)

Details

TypeInproceedings
> Publications > The Role of Abduction in Declarative Authorization Policies