members of a role x are also implicitly members of a role
y. In addition, RBAC introduces constraints that are a pow-
Figure 2. Tree structure of the example XACML policy.
policy of the entire company, has two rules r1 and r2
indicating that
• all employees can read and change codes during work-
ing hours from 8:00 to 17:00 (r1 ), and
• nobody can change code during non-working hours
(r2 ).
On the other hand, each department is responsible for
deciding whether employees can read codes during non-
working hours. A local policy p2 for a development depart-
ment with three rules r3 , r4 and r5 is that
• developers can read codes during non-working hours
(r3 ),
• testers cannot read codes during non-working hours
(r4 ), and
• testers and developers cannot change codes during non-
working hours (r5 ).
Note that the rule combining algorithm for policy p1 is
permit−overrides and the rule combining algorithm for
policy p2 is deny−overrides.
B. Role-based Access Control
RBAC is a widely accepted alternative to traditional
mandatory access control (MAC) and discretionary access
control (DAC) [24]. As MAC is used in the classical defense
arena, the access is based on the classification of objects
such as security clearance [23] while the main idea of DAC
is that the owner of an object has the discretion over who
can access the object [15], [22]. However, RBAC is based
on the role of the subjects and can specify security policy
in a way that maps to an organizational structure. A general
family of RBAC models called RBAC96 was proposed by
Sandhu et al. [21]. Intuitively, a user is a human being
or an autonomous agent, a role is a job function or job
title within the organization with some associated semantics
regarding the authority and responsibility conferred on the
user assigned to the role, and a permission is an approval
of a particular mode of access to one or more objects in
the system or some privileges to carry out specified actions.
Roles are organized in a partial order ≥, so that if x ≥ y
then a role x inherits the permissions of a role y. Therefore,
3
erful mechanism for laying out higher-level organizational
policies. Separation of duty (SoD) is a well-known principle
for preventing fraud by identifying conflicting roles and has
been studied in considerable depth by RBAC community [3],
[7], [17]. SoD constraints in RBAC can be divided into Static
SoD constraints, Dynamic SoD constraints and Historical
SoD constraints. Static SoD constraints typically require that
no user should be assigned to conflicting roles. Dynamic
SoD constraints–with respect to activated roles in sessions–
typically require that no user can activate conflicting roles
simultaneously. Historical SoD constraints restrict the as-
signment and activation of conflicting roles over the course
of time.
C. Answer Set Programming
ASP [20], [18] is a recent form of declarative program-
ming that has emerged from the interaction between two
lines of research—nonmonotonic semantics of negation in
logic programming and applications of satisfiability solvers
to search problems. The idea of ASP is to represent the
search problem we are interested in as a logic program
whose intended models, called “stable models (a.k.a. answer
sets),” correspond to the solutions of the problem, and then
find these models using an answer set solver—a system for
computing stable models. Like other declarative computing
paradigms, such as SAT (Satisfiability Checking) and CP
(Constraint Programming), ASP provides a common basis
for formalizing and solving various problems, but is distinct
from others such that it focuses on knowledge representation
and reasoning: its language is an expressive nonmonotonic
language based on logic programs under the stable model
semantics [11], [9], which allows elegant representation of
several aspects of knowledge such as causality, defaults, and
incomplete information, and provides compact encoding of
complex problems that cannot be translated into SAT and
CP [19]. As the mathematical foundation of answer set
programming, the stable model semantics was originated
from understanding the meaning of negation as failure in
Prolog, which has the rules of the form
a1 ← a2 , . . . , am , not am+1 , . . . , not an (1)
where all ai are atoms and not is a symbol for negation
as failure, also known as default negation. Intuitively, under
the stable model semantics, rule (1) means that if you have
generated a2 , . . . , am and it is impossible to generate any of
am+1 , . . . , an then you may generate a1 . This explanation
seems to contain a vicious cycle, but the semantics are
carefully defined in terms of fixpoint.
While it is known that the transitive closure (e.g., reach-
ability) cannot be expressed in first-order logic, it can be
handled in the stable model semantics. Given the fixed extent
of edge relation, the extent of reachable is the transitive

Figure 3. Logic-based policy reasoning for XACML.
closure of edge.
reachable(X, Y ) ← edge(X, Y )
reachable(X, Y ) ← reachable(X, Z), reachable(Z, Y )
Several extensions were made over the last twenty years.
The addition of cardinality constraints turns out to be useful
in knowledge representation. A cardinality constraint is
of the form lower{l1 , . . . , ln }upper where l1 , . . . , ln are
literals and lower and upper are numbers. A cardinality
constraint is satisfied if the number of satisfied literals in
l1 , . . . , ln is in between lower and upper. It is also allowed
to contain variables in cardinality constraints. For instance,
more than one edge(X) ← 2{edge(X, Y ) : vertex(Y )}.
means that more than one edge(X) is true if there are at
least two edges connect X with other vertices.
The language also has useful constructs, such as strong
negations, weak constraints, and preferences. What distin-
guishes ASP from other nonmonotonic formalisms is the
availability of several efficient implementations, answer set
solvers, such as SMODELS1 , CMODELS2 , CLASP3 , which led
to practical nonmonotonic reasoning that can be applied to
industrial level applications.
III. G ENERAL XACML P OLICY A NALYSIS
We introduce a logic-based policy reasoning approach for
XACML as shown in Figure 3. First, XACML policies are
converted to ASP programs. Then, by means of off-the-shelf
ASP solvers, several typical policy analysis services, such
as policy verification, comparison, redundancy and querying
are utilized. For instance, policy verification is to check
if ASP-based representation of XACML policies entails
the property as certain formulas in its specification, policy
comparison checks the equivalence between two answer set
programs, and policy redundancy checking can be viewed as
an instance of simplification of ASP programs.
1 http://www.tcs.hut.fi/Software/smodels
2 http://www.cs.utexas.edu/users/tag/cmodels.html
.
3 http://potassco.sourceforge.net
A. Abstracting XACML Policy Components
We consider a subset of XACML that covers more con-
structs than the ones considered in [28] and [16]. We allow
the most general form of Target, take into account Condition,
and cover all four combining algorithms.
XACML components can be abstracted as follows: At-
tributes are the names of elements used by a policy.
Attributes are divided into three categories: subject at-
tributes, resource attributes and action attributes. In the
example policy above, developer, tester and employee
are subject attributes; read and change are action at-
tributes; codes is a resource attribute. A Target is a triple
⟨Subjects, Resources, Actions⟩. A Condition is a conjunction
of comparisons. An Effect is either “permit,” “deny,” or
“indeterminate.”
• An XACML rule can be abstracted as
⟨RuleID, Effect, Target, Condition⟩
where RuleID is a rule identifier. For example, rule r1
in Figure 1 can be viewed as
⟨r1 , permit, ⟨employee, read ∨ change, codes⟩,
8 ≤ time ≤ 17⟩.
• An XACML policy can be abstracted as
⟨PolicyID, Target , Combining Algorithm, ⟨r1 , . . . , rn ⟩⟩
where PolicyID is a policy identifier, r1 , . . . , rn
are rule identifiers and Combining Algorithm is
either permit−overrides, deny−overrides, or
first−applicable. For example, policy p1 in Fig-
ure 1 is abstracted as:
⟨p1 , Null, permit−overrides, ⟨r1 , r2 ⟩⟩.
• Similarly we can abstract an XACML policy set as
⟨PolicySetID, Target, Combining Algorithm,
⟨p1 , . . . , pm , psm+1 , . . . , psn ⟩⟩
where PolicySetID is a policy set identifier,
p1 , . . . , pm are policy identifiers, psm+1 , . . . , psn
are policy set identifiers, and Combining Algorithm
is either permit−overrides, deny−overrides,
first−applicable, or only−one−applicable. For
example, policy set ps1 can be viewed as
⟨ps1 , Null, first−applicable, ⟨p1 , p2 ⟩⟩.
B. Turning XACML into ASP
We provide a translation module that turns an XACML
description into a program in ASP. This interprets a formal
semantics of XACML language in terms of the Answer Set
semantics.
.
The translation module coverts an XACML rule
. ⟨RuleID, Effect, Target, Condition⟩