Policies, Norms and Actions:

Groundwork for a Framework

Robert Craven
[email protected]
Department of Computing,
Imperial College London,
SW7 2AZ
Abstract
Constraints on computational agents behaviour are studied both in work on policy-
governed systemsusually as part of work on security or policy-based management in dis-
tributed software engineeringand also in multi-agent systems research, where the terminol-
ogy is generally one of norms and concepts drawn from deontic logic. Interaction between
these treatments, and the research communities that study them, has not been as thorough
as it might, for though the perpectives, methods and interests are sometimes dierent, there
is a great deal of shared ground. In the current research report, we present a language and
tools which can be used for reasoning about and studying the operation of both norms and
policies on a multi-agent, or distributed, system. The language is based on one member, C+,
of a family of knowledge representation formalisms studied in AI. We describe the types of
domains that can be represented, the kinds of analysis tasks that are possible, and describe
our current implementation (which is freely available for download). Future directions for this
work are described.
Acknowledgements
The work on norms in C+ presented in Section 5.1 is joint with Marek Sergot, as is the
implementation of iCCalc and the rooms example. I would like to thank Srdjan Marinovic
for reading a draft and for providing detailed and useful criticism.
Research was sponsored by the U.S. Army Research Laboratory and the U.K. Ministry of
Defence and was accomplished under Agreement Number W911NF-06-3-0001. The views and
conclusions contained in this document are those of the authors and should not be interpreted
as representing the ocial policies, either expressed or implied, of the U.S. Army Research
Laboratory, the U.S. Government, the U.K. Ministry of Defence or the U.K. Government.
The U.S. and U.K. Governments are authorized to reproduce and distribute reprints for
Government purposes notwithstanding any copyright notation hereon.
Contents
1 Introduction 2
2 Background: labelled transition systems and (+ 4
2.1 Signatures and Causal Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Action Descriptions to Transition Systems . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Causal theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4 Action Descriptions to Causal Theories . . . . . . . . . . . . . . . . . . . . . . . . 9
2.5 Deniteness and Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 Basic formalism 12
3.1 Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2 System Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1
3.4 Semantics for policy descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4 Policy composition 21
4.1 Language and semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.2 Example composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5 Norms 29
5.1 Syntax and Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.2 Example: Rooms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.3 Extracting the System Component . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
6 Analysis Queries and Examples 35
6.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.2 Query and Analysis Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
7 Related work 43
8 Concluding Remarks and Future Work 44
A Sample code for a rooms example 46
1 Introduction
In this paper we explore several ways in which controls over agents behaviour can be represented
and reasoned about. There are three main streams of inuence that here come together: work
on action languages, from articial intelligence; work on norms, from multi-agent systems; and
research on policy algebras, from policy management. The aim is to study the relationship between
these dierent techniques and paradigms, and to suggest the benets of combining them. To that
end, we include many examples, and describe the uses to which a combined system can be put in the
analysis of various forms of directives governing an agents behaviour in a changing environment.
Examples are illustrated with the use of our implementation, which covers all ideas presented in
the paper. In the rest of this introduction, we expand on the various components of work, and the
motivations behind it.
The norms we represent in the current framework are typically used to represent the high-level
requirements of a system, which do not take into account the way the domain is implemented at the
lower levels of detail. Norms are here understood to classify dierent behaviours and combinations
of the properties of a system as good or bad. Policies, by contrast, concern the micro-management
of the specic actions performed by the devices, agents and components of a system; the policies are
intended to achieve, at a practical level, what the more abstract norms recommend. We combine
norms and policies in a common framework, in which the components, devices, and agents that
the norms and policies refer to have their behaviour modelled by a logical formalism from Articial
Intelligence, amenable to temporal reasoning, model-checking, and event-based descriptions.
Several more detailed motivations resulted in the current work. One was to provide a perspicu-
ous and intuitive representation for the combination of default policy decisions and exceptions, in
a context where there could be named sets of policies. In our previous work [Craven et al., 2008,
Craven et al., 2009], we have used normal logic programs, and specically negation-as-failure, to
represent exceptions to policies and default policy rules. However, that work did not have a
clear distinction between the rules that state how policies override each other and how the PDP
reaches a decision given the policy rules, and the policy rules themselves; this meant that it was
frequently unclear how defaults and exceptions should be expressed. It also seems desirable that
authorization policies should be able to be grouped together, and that one should be able to state,
for instance, that one policy should apply in the case that no rule whatsoever in a given state
applies. It became clear that papers that have recently been published in the policy literature
on an algebraic approach to policy composition in fact oer a better solution to this problem.
2
(Model-checking and enriched concepts from deontic logic have been used before in research on
policies, but there is no unifying framework that combines them with policy algebra and with a
powerful representation of the domain that the policies govern. This is what we attempt in the
current report.)
There is also increasing interest from the policy community in the possibilities of using various
techniques from AI in reasoning about policies and their interactions with the systems they govern.
Techniques that have been applied to policy reasoning include rst-order logic theorem proving,
reasoning using description logic, and abductive and inductive logic programming. However, there
are many other kinds of techniques that could be used; in the context of the current work, we
have in mind particularly model-checking, and reasoning using enriched deontic and agentive
concepts. These typically take some form of graphical structureoften, transition systems or
labelled transition systemsas their basic semantics. It therefore seemed attractive to let the
policies be interpreted over similar structures.
There are many sorts of language for dening labelled transition systems. We have chosen to
use (+, which one of the most recent in a series of action languages [Gelfond and Lifschitz, 1998]
used to represent the eects of actions and events on a changing environment; these langauges
are most widely used in knowledge representation. (+ can be used to depict the states and
behaviour of dierent agents, acting together or independently, and includes built-in features for
the treatment of various kinds of default, inertia, ramications, and so on.
In the present work, we add constructions to (+ for policies, and for policy composition.
We wish to reason about the behaviour of policies, and of agents governed by policies, in an
environment on which policy depends, and which can be altered by the actions performed in
accordance with the policies. Both authorization policies, positive and negative, and obligation
policies are covered. Positive and negative authorization policies are grouped together into sets,
and these, through the logic of policy algebra, determine whether or not a request by a subject to
perform an action on a target is allowed. If the request is allowed, then the eects of the requested
action are caused, and this determines the way the system evolves over time. Obligation policies
are, for us, encoded as triggers in much the same way as event-condition-action rules. When
the condition of a rule is true, then a request is triggered automaticallyagain, for a subject to
perform an action on a target. The dierence is that we do not insist that events are present: the
triggers can be any kind of combination of current conditions. This request is then subject to the
authorization policies in place. The combination of action languages, labelled transition systems,
and policies, allows reasoning about the eects of policy in a changing environment; this is very
important for policy analysis, as policy evaluation can then be seen to depend on how the system
has evolved over time.
In recent years there has been increasing interest in the use of norms to regulate the interactions
of multi-agent systems. Norms can partly be understood as accepted standards of behaviour to
which certain objects capable of doing things should adhere (this being a near-paraphrase of a
widely-used dictionarys denition of the term). In a more general way, we understand norms as
the expression of what is good and bad in a domainwhere the generalization allows features of
an agents state, of any other objects state, of the environment, of histories of objects and actions,
and so on, to be considered as bound by the norms. The norms need not only register what is
accepted or acceptable, but what is desired, right, legal, immoral, conformant with protocol, etc.
We focus on the expression of a standard, rather than the standard itself. Examples of systems of
norms in this wider sense are: legal systems; Roberts rules of order; bidding protocols in auctions;
Kantian ethics; and preferences over items on a menu. It is of course a stretch to call the last of
these norms, but that does not matter.
One way in which norms are used in multi-agent systems is to specify, from the perspective of
a system designer or other sort of system-wide authority, how the system should be implemented:
how it should behave, what the desirable system congurations are. This is the way in which we
use norms in the current work. The actual system may, in fact, not adhere to the given norms:
this is one way in which our treatment of norms diers from that of policies, for whether or not
a policy determines a request as allowed makes all the dierence to whether the action requested
will be performed. Norms regulate, policies regiment. The presence of these dierent ways of
3
holding a standard to the behaviour of articial systems in the same formalism, to be evaluated
over the same models, is fruitful: we can reason about whether the actual policies in place satisfy
the (various kinds of) norms, and if they do not satisfy them, why not.
All work presented here has been implemented in freely-available software; see Section 6.1 for
details and the URL. (This implementation is joint work with Marek Sergot.)
The structure of this report is as follows. First, background to the action language (+. Then a
preliminary version of how to add policy structures to the language, followed by how to do this for
policies combined by a policy algebra. Then, description of a normative addition to the language,
orthogonal to the policy bit. Then examples, and discussion of the possibilities for various kinds of
analysis query, together with details of an implementation. Finally, related work and concluding
remarks, including on further work.
2 Background: labelled transition systems and (+
Action languages are logics for describing how a system behaves over time, as a consequence
of actions performed within the system. (+ is the most recent member of a family of action
languages which began with / [Gelfond and Lifschitz, 1993], and whose early history is surveyed
in [Gelfond and Lifschitz, 1998]. (+ has a number of very appealing features, which recommended
it as a starting-point for the kinds of development we pursue in the current paper.
It provides a very natural treatment of inertia (default persistence), which gives intuitively
desired results.
It is easy to say many things in (+: concurrent actions, default eects, ramications, non-
determinism, are all accommodated.
After only a brief acquaintance with the language, one can write action descriptions which
capture the intended behaviour.
The underlying formalism that can be providedthat of causal theoriesis simple: so in
cases where there are complex interactions between causal laws, reference to this underlying
formalism quickly resolves confusion.
There is a semantics of labelled transition systems already in place. Since we are interested
in making use of the bridge this aords to methods in other areas of AI, this is a signicant
advantage.
We will give an overview of the syntax of (+; show how labelled transition systems are dened;
describe the underlying framework of causal theories and the alternative route to transition systems
this aords; present the algorithm used to nd models of an important subclass of causal theories;
and give an outline of n(+ [Craven and Sergot, 2008], an extension to (+ incorporating deontic
concepts. The presentation of (+ we give will not include all features of that language, but
only those which are relevant for our work. For the whole, see [Giunchiglia et al., 2004]. Our
terminology does not precisely match that of the original authors.
2.1 Signatures and Causal Laws
First, the syntax of (+. We begin with , a multi-valued, propositional signature. Members of
are known as constants. is assumed to be partitioned into a set
f
of uent constants and a set

a
of action constants. Further, the uent constants are partitioned into those which are simple
and those which are statically determined. We sometimes use
smpl
to stand for the simple uent
constants, and
stat
to stand for the statically determined uent constants. And so:
=
f

a
=
smpl

stat

a
.
4
Statically determined uent constants depend only on features of the current state: the values
they take may not directly depend on the past history of the domain. In the representation of
many domains, the set of statically determined uent constants is empty.
For each constant c there is a nite, non-empty set dom(c), disjoint from and known as
the domain of c. An atom of the signature is an expression c=v, where c and v dom(c).
Formulas are constructed from the atoms using propositional connectives and a familiar syntax,
with a literal as an expression A or A, for atomic A. The expressions and are connectives
of zero arity, with the usual interpretation. A Boolean constant is one whose domain is the set
of truth-values t, f , and a Boolean signature is, by extension, one all of whose constants are
Boolean. If c is a Boolean constant, we often write c for c=t, so that where our propositional
signatures are restricted to be Boolean and we deal with no formula containing f , we may reduce
our syntax to that of standard propositional logic.
A uent formula is a formula whose constants all belong to
f
; an action formula is a formula
which contains at least one action constant, and no uent constants. Note that according to these
denitions, and are uent formulas but not action formulas. Disjointness of
f
and
a
forces
disjointness of the set of uent formulas (which we abbreviate to fmla
f
) and the set of action
formulas (abbreviated to fmla
a
). The disparity in the denitions of fmla
f
and fmla
a
makes later
denitions more compact.
An interpretation of a multi-valued propositional signature is a function mapping every
constant c to some v dom(c); an interpretation X is said to satisfy an atom c=v if X(c) = v,
and in this case one may write X [= c=v. Standard structural recursions over the propositional
connectives apply, and where is a set of formulas of our propositional signature, X [= expresses
that X [= c=v, for every c=v in . We let the expression I() stand for the set of interpretations
of .
A static law is an expression of the form
F if F

(1)
where F and F

are uent formulas. These laws are similar to the state constraints which appear
elsewhere in computer science; their meaning is that when the formula F

is true in a state, then

the formula F is caused to be true. An action constraint is an expression of the form
A if G (2)
where A is an action formula and G is a formula. An action constraint A if G means that when
G is true in a state, then when the system evolves from that state, it must do so in a way which
makes A true. If G is a conjunction A

F, where A

is an action formula and F a uent formula,

this means that if F is true in a state, and the actions A

then occur, then the actions A must

also occur. A uent dynamic law has the form
F after G (3)
where F is a uent formula and G a formula, the restriction that F must not contain statically
determined uents. Fluent dynamic laws can be understood as stating that where G is true in a
state, then F must be true in the next state. In particular, as with action constraints, if G is a
conjunction of an action formula A and a uent formula F

, then (3) would mean that where F

is true in a state, and A occurs, then F is true in the following state. Causal laws are static laws
or dynamic laws, and an action description is a set of causal laws.
An action description D is said to be denite when
the head of every causal law of D is either an atom or , and
no atom is the head of innitely many causal laws of D.
When an action description of (+ is denite in this sense, then there is a straightforward method
of nding runs through the transition system it denes, which we will present in Section 2.5. All
of the examples we will mention in the current paper are denite action descriptions.
5
For the purpose of illustration, consider the very simple action description having as its Boolean
signature

smpl
= p
stat
= q
a
= a
Thus, p and q are intended to represent properties of states, and a to represent an action, the
performance of which may aect those properties. Let the laws of the action description be:
q if p, (4)
q if p,
p after a,
p after a.
exogenous a.
We will soon see that action descriptions of (+ can be rendered graphically; action description (4)
can be depicted as in Figure 1. The rst two (static) laws make qs value dependent on that of p.
p, q p, q
a,
a
a a
Figure 1: Transition system for action description (4)
The second two laws make the value of p change, depending on whether a is performed or not. The
fth law states that a can occur, or not occur, in any situation, other things being equal (for the
meaning of the keyword exogenous, see the end of this subsection). We see that static laws can
be used to describe how the eects of actions ramify. Transitions between states are depicted as
arrows, and the labels on the arrows represent what actions and events occur, to move the domain
from one state to another. For instance, if p and q are true of the system being represented, then
if the event or action a does not occur (i.e. a is true), then the system will move to a state in
which both p and q are falseone where p and q are true.
A number of abbreviations of causal laws are useful, making the meaning of specic structures
of law more clear. Fluent dynamic laws of the form after A, where A is an action formula, may
also be written
A is non-executable
and uent dynamic laws after A F, where A is an action formula and F a uent formula,
may be written
A is non-executable if F
A static law of the form F if can simply be written as
F
in which case F must be true in all states. Further, the law
inertial c
where c is a simple uent constant, abbreviates the set of causal laws
c=v if c=v after c=v [ v dom(c)
6
The eect of this is to enable the value of the uent constant c to persist by default into the next
state (unless c is caused to have some other value). The law
exogenous c
where c is an action constant abbreviates the set of action dynamic laws
c=v if c=v [ v dom(c)
These have the eect of allowing a to take any value in a transition (except if it is caused to have
some value by other causal laws).
2.2 Action Descriptions to Transition Systems
Every action description of (+ denes a labelled transition system. In general, transition systems
are graphs, whose vertices represent the states of some system, and where an edge between two
vertices represents that the system may evolve from the one state to the other. The edges are
typically called transitions, and where the transitions are labelled, the labels usually denote the
performance of some action, or the execution of some computation, which eects the given tran-
sition between states. This sort of graphical structure is, of course, ubiquitous in computing and
articial intelligence.
The precise form of the transition systems with which we will deal in the current thesis will
vary, usually as the language used to dene them accrues special features. It is therefore dicult
even to dene an underlying template to which all labelled transition systems must conform. So
we relativize to (+, as follows.
Denition 1 A transition system for (+ is a triple (S, L, R), where
S is a set of states, sometimes called vertices;
L is a set of labels;
R is a set of transitions, R S L S, sometimes called edges.
The purpose of this section is to describe how each action description D of (+with signature

f

a
denes a labelled transition system L
D
, of the form dened above. But we will rst
note that states will turn out to be interpretations of
f
which satisfy certain constraints, and the
set of labels will be the set I(
a
). The denitions and theorems in this section are mostly taken
from [Sergot, 2004].
Suppose we are given an action description D of (+, with signature
f

a
.
Denition 2 We dene:
T
static
(s) = F [ F if F

D, F fmla
f
, s [= F

,
E(s, e, s

) = F [ F after G D, s e [= G,
A(s, e) = A [ A if G D, A fmla
a
, s e [= G,
Simple(s) = c=v [ c
smpl
, s [= c=v,
With these preliminary denitions, we can now dene the transition systems dened by (+ action
descriptions. We rst need to dene our states.
Denition 3 Let D be an action description of (+. An interpretation s of
f
is a state of D i
s = s

I(
f
) [ s

[= T
static
(s) Simple(s).

In words, s is a state when s satises the set of forumlas T
static
(s) Simple(s), and there is no
other interpretation of
f
which satises this set. We move on to the transitions dened by (+
action descriptions.
7
Denition 4 Let D be an action description of (+, with signature . Suppose s, s

I(
f
), and
e I(
a
). We say that (s, e, s

) is a transition of D i s is a state (according to the preceding

denition) and:
s

= s

I(
f
) [ s

[= T
static
(s

) E(s, e, s

);
e = e

I(
a
) [ e

[= A(s, e).
Again, in words: (s, e, s

) is a transition when s is a state; where s

satises T
static
(s

) E(s, e, s

)
and no other interpretation does so; and where e satises A(s, e) and no other interpretation in

a
does so.
The transition systems dened by a (+ action description have the form given above in Def-
inition 1: the component S is the set of states dened by the action description D; the possible
labels L are found in I(
a
); and R is the set of transitions, as given in Denition 4.
Theorem 5 If (s, e, s

) is a transition of an action description D, then s

is a state.
Proof: This is Proposition 4 of [Sergot, 2004].
At a rst glance the reason that these denitions take precisely the form they do is far from
obvious, and they are apt to seem somewhat arbitrary. Matters become clearer when we examine
the relationship of action descriptions of (+ to causal theories.
2.3 Causal theories
The language of causal theories [McCain and Turner, 1997, Giunchiglia et al., 2004] is a more
general-purpose, non-monotonic formalism which can be seen as underlying the action language
(+. (The manner in which it is non-monotonic is not entirely straightforward: for details, see
[Sergot and Craven, 2005a].) Causal theories are very closely related to Reiters Default Logic
[Reiter, 1980], as Section 7 of [Giunchiglia et al., 2004] shows, and it is partly their scope for a
highly nuanced representation of default behaviour which brings causal theories close to (+. It
will be seen that (+ action descriptions correspond to families of certain forms of causal theories;
but this correspondence does not use the full expressivity of causal theories.
In causal theories we start, as with (+, with a multi-valued propositional signature . In
the language of causal theories, however, there is no distinction between uent constants and
action constantsmembers of are undierentiated. Formulas are built up from atoms c=v using
standard propositional connectives, again including and as connectives of zero arity.
A causal rule is an expression of the form
F G,
where F and G are formulas of the underlying, multi-valued propositional signature. Such expres-
sions are related to the (almost) natural language statement if G, then the fact that F is caused;
perhaps they could better be paraphrased as if G, then there is a reason for F to be true (and F
is true). A causal theory is a set of causal rules.
Now let be a causal theory, and take X to be an interpretation of its underlying propositional
signature. The reduct of with respect to X is dened as

X
= F [ F G and X [= G.
X is a model of the causal theory , written X [=
C
, if X is the unique model of
X
. (This
uniqueness constraint is related to the role of singletons in Denition 4.)
For an illustration of the preceding denitions, consider the causal theory T
1
, with underlying
Boolean signature p, q:
p q
q q
q q
8
There are clearly four possible interpretations of the signature:
X
1
: p t, q t
X
2
: p t, q f
X
3
: p f , q t
X
4
: p f , q f
and it is clear that
T
X
1
1
= p, q whose only model is X
1
T
X
2
1
= q which has two models
T
X
3
1
= p, q whose only model is X
1
,= X
3
T
X
4
1
= q which has two models
In only one of these casesthat of X
1
is it true that the reduct of the causal theory with respect
to the interpretation has that interpretation as its unique model. Thus X
1
[=
C
T
1
and X
1
is the
only model of T
1
.
See [Sergot and Craven, 2005b] (or its expanded version [Sergot and Craven, 2005a]) for logical
properties of causal theories, and relations to modal logic. Also see [Erdogan and Lifschitz, 2006].
2.4 Action Descriptions to Causal Theories
Action descriptions of (+ can be seen as shorthand for families of causal theories. The index set
is the non-negative integers, which represents the time for which the system runs.
Thus to every action description D of (+with signature and non-negative integer t, there
corresponds a causal theory
D
t
. The signature of
D
t
contains the constants c[i],
1
such that
i 0, . . . , t and c
f
, or
i 0, . . . , t 1 and c
a
,
and the domains of such constants c[i] are kept identical to those of their constituents c in the
signature of the action description. Where is the signature of the (+ action description D,
we will let
m
denote the signature of the causal theory
D
m
. The expression F[i], where F is a
formula, denotes the result of inserting [i] after every occurrence of a constant in F. The causal
rules of
D
t
are:
F[i] F

[i],
for every static law F if F

in D and every i 0, . . . , t;
A[i] G

[i],
and for every action dynamic law A if G in D and every i 0, . . . , t 1;
F[i + 1] G[i],
for every uent dynamic law F after G in D and every i 0, . . . , t 1;
c[i + 1]=v c[i + 1]=v c[i]=v
for every simple uent constant c, v dom(c) and i 0, . . . , t 1;
a[i]=v a[i]=v
1
These are written as i : k in [Giunchiglia et al., 2004]; we nd the current notation easier to read.
9
for every action constant a, v dom(a), and i 0, . . . , t 1; and
c[0]=v c[0]=v,
for every simple uent constant c and v dom(c).
We have already dened the labelled transition systems which are determined by (+ action
descriptions, in a way which did not depend at all on the formalism of causal theories. The same
transition systems can be dened much more succinctly using causal theories, however, and it is
often much more easy when trying to imagine the systems dened by action descriptions, to think
in terms of the causal-theoretic denitions rather than those given in Section 2.2. In the current
context we will identify interpretations of the underlying propositional signature of D with the
sets of atoms they satisfy. Where i is a non-negative integer and s an interpretation, we can write
s[i] for the result of suxing [i] to every constant of an atom made true by the interpretation (in
symbols, c[i]=v [ s [= c=v).
We trespass on our previous denitions:
Denition 6 Let D be an action description of (+, with signature .
A state is any s I(
f
), such that s[0] [=
C

D
0
;
a transition is any triple (s, e, s

) I(
f
) I(
a
) I(
f
) such that
s[0] e[0] s

[1] [=
C

D
1
.

According to this denition, the component S of the labelled transition systems dened by (+
action descriptions is the set
s [ s I(
f
), s[0] [=
D
0
;
the set of labels L is I(
a
) as before; and the set of edges is the set
(s, e, s

) [ s, s

I(
f
), e I(
a
), s[0] e[0] s

[1] [=
D
1
.
Theorem 7 Let D be an action description. Then for any transition (s, e, s

), s

is a state, where
transitions and states are both dened according to Denition 6.
Proof: This is Proposition 7 of [Giunchiglia et al., 2004].
We now have two alternative denitions for the labelled transition systems dened by our
action descriptions. The following theorem shows they coincide.
Theorem 8 Let D be an action description of (+, with signature . Then:
(i) s is a state of D according to Denition 3 i s is a state of D according to Denition 6;
(ii) (s, e, s

) is a transition of D according to Denition 4 i (s, e, s

) is a transition of D according
to Denition 6.
In other words, Denitions 3, 4 and 6 coincide.
Proof: This is essentially Theorem 9 of [Sergot, 2004].
Let
D
t
be the causal theory generated from the action description D and non-negative integer
t as described above. Let s
0
, . . . , s
t
be interpretations of
f
and e
0
, . . . , e
t1
be interpretations of

a
. Then using the notation above, we can represent interpretations of the signature of
D
t
in the
form
s
0
[0] e
0
[0] s
1
[1] e
1
[1] e
t1
[t 1] s
t
[t] (5)
The following result holds.
10
Theorem 9 An interpretation of the signature of
D
t
is a model of
D
t
i each triple (s
i
, e
i
, s
i+1
),
for 0 i < t, is a transition.
Proof: Proposition 8 of [Giunchiglia et al., 2004].
Let D be an action description of (+. A run of length t through this transition system is dened
to be a sequence
(s
0
, e
0
, s
1
, e
1
, . . . , e
t1
, s
t
) (6)
such that all triples (s
i
, e
i
, s
i+1
), for 0 i < t, are members of the transition system.
Theorem 10 Let D be an action description and t any non-negative integer. Then the sequence
(6) is a run of the transition system i the interpretation (5) is a model of the causal theory
D
t
.
Proof: First, assume we have a run of the transition system of length t. Then every triple
(s
i
, e
i
, s
i+1
), for 0 i < t, is a transition, and so by Theorem 9 the interpretation (5) is a model
of
D
t
.
Alternately, suppose that (5) is a model of the causal theory
D
t
, Then clearly, each triple
(s
i
, e
i
, s
i+1
), for 0 i < t, is a transition, and so the sequence (6) is a run of the transition
system dened by D.
2.5 Deniteness and Completion
A causal theory is said to be denite when:
the head of every causal rule is either an atom or , and
no atom is the head of innitely many causal rules.
Clearly this denition is related to that of the deniteness of an action description of (+, given
in Section 2.1. Indeed, it turns out that when an action description D is denite, then the causal
theories
D
t
, for 0 t, are also denite.
Models of a denite causal theory can be found by rst completing the causal theory, trans-
forming it to a set of formulas of propositional logic. The models of the propositional logic formulas
are the same as the models of the causal theory. (This process is structurally similar to what hap-
pens in the Clark completion used in the semantics of logic programs [Clark, 1978]though the
Clark completion is used to dene a kind of semantics; we make no reference to completion in the
denition of models.) Once the completion of the causal theory has been found, the models of the
resulting propositional theory can
The latter problem can be shipped out to a propositional satisfaction solver. So, in the light
of Theorem 10, we have a means of nding runs of length t 0 through the transition system
dened by a denite action description of (+.
Let be a denite causal theory, of which we wish to nd the completion, and let have
signature . An atom c=v of is said to be trivial when dom(c) = v: in this case any
interpretation of must assign to c the value v. (We also call the constant c trivial in this case.)
We let Trivial() be the set of atoms c=v of such that c is trivial. For each non-trivial atom
c=v of , the completion formula is:
c=v G
1
G
n
,
where
c=v G
1
, . . . , c=v G
n
are all the rules in with head c=v. The completion of is the set of all completion formulas of
all non-trivial atoms in , together with all formulas F for each rule
F
11
in . We let comp() be the completion of ; this is:
c=v G
1
G
n
[ c=v Trivial(), G(c=v G i(0 i n G = G
i
))
F [ F
Theorem 11 The models of a denite causal theory are precisely those of its completion.
Proof: Proposition 6 of [Giunchiglia et al., 2004].
3 Basic formalism
We rst cover the case of a centralized set of policies: where a single set of policies holds for the
entire agent society or distributed system. There may beindeed, in all examples, there will be
dierent agents, but they are all subject to the same set of policies. Later sections will consider
the case where these multiple agents are subject to dierent policy sets.
3.1 Signature
In this section we add more structure to the signatures of (+ that we will use in representing
policies. The language presented here will later be further enriched to accommodate named sets
of policies, and expressions for dening an algebra over such named policies; for the moment, we
keep to the essentials.
Sets, may be empty, except where stated to be otherwise. Let Ag be a non-empty set of agents;
this set will normally be written ag
1
, . . . , ag
n
. For each ag
i
Ag, there is a set of multi-valued
uents, u
i
. We dene, for each i such that 1 i n, a set Flu
i
= ag
i
:f [ f u
i
of uent
constants; each member ag
i
:f has the same domain as its component f. There is also a set Flu of
multi-valued uent constants which can be considered to represent properties of the environment,
which is not an agent. The set Fluents = FluFlu
1
Flu
n
includes all uent constants. We use
letters f to refer both to members of u
i
and Fluents. For each f Fluents there is a non-empty
set dom(f), the domain of f. If a uent constant f has domain t, f, it is Boolean. If f Fluents
and v dom(f), the expression f=v is known as a uent atom. For a Boolean uent constant c,
we usually abbreviate c=t to c, and c=f to c (c is therefore an atom). Some members of Fluents
are simple uent constants, and some are statically determined uent constants; we often refer to
members of Flu or Flu
i
, or u
i
as simple or statically determined if the members of Fluents they
give rise to are simple or statically determined.
Sub Ag is the set of subjects, Tar Ag is the set of targets; these need not be disjoint, but
Sub must be non-empty. There is also a set Act of actions. The function subjects : Act (Sub)
gives, for each action, the set of subjects that can perform itthe subjects that have the capacity
or ability, not those who are permitted. Analgously, targets : Act (Tar
tar
) gives the set of
possible targets. (We allow the possibility that it may be easier to model some actions as not having
a target: this is the role of
tar
.) For act Act, if sub subjects(act) and tar targets(act), then
sub:act:tar is a Boolean action constantwe often call these simply actions, where that does not
lead to confusion with the members of Act. These actions sub:act:tar are the equivalent of what is
often represented, in work on policies, as done(X), where X is some appropriate access or action in
the system being modelled. Where tar is
tar
, then sub:act:tar may be abbreviated to sub:act. The
set of all these is Actions: this is, to stress the point, a set of Boolean action constants.
2
Actions is
partitioned into two sets Actions
eca
and Actions
reg
; this will be of relevance later in the discussion
of obligationswe do not explain it more here. There is also a set Events of events, constants
which represent events in the system being modelled which are not controlled by policies. The
2
It is entirely possible to use multi-valued action constants instead, with a (very minor) complication of syntax.
However, in this case, defaults for which values the members of Actions taketo deal with the case where there are
no requests for that member, or all requests are deniedneed to be stated explicitly in the action description. In
the current version of the language, we assume that the negations of members Sub:Act:Tar of Actions are true by
default: which can be glossed as an assumption that actions not requested, by default do not happen.
12
members of Events are multi-valued (+ action constants. We let Happenings = Actions Events.
As have uent constants, each member a Happenings has a non-empty domain dom(a), and
the same conventions are observed for happening constants as for uent constants; there are
therefore happening atoms. The set Fluents Happenings is known as that of system constants,
and abbreviated to Sys.
The constants introduced so far are enough to represent domains in which subjects perform
actions on targets, these have certain eects on the subjects and targets and environment, and
events in the environment play their part. However, where we are modelling the eects of policies
on systems (which will be our objective in the present section), then additional constants are used,
to represent the policies and the way they interact with the subjects and targets.
All new policy constants we will add are Boolean action constants. First, for all Sub:Act:Tar
Actions, there are action constants permitted(Sub:Act:Tar) and denied(Sub:Act:Tar); if we have
Sub:Act:Tar Actions
eca
, then we will also add action constants obligation(Sub:Act:Tar). These
three types of constants are used in the specication of positive and negative authorization
policies, and obligation policies. Secondly, to represent the fullment and violation of obliga-
tions, we have for each Sub:Act:Tar Actions
eca
a constant fullled(Sub:Act:Tar) and a constant
violated(Sub:Act:Tar). Thirdly, for all Sub:Act:Tar, a constant [Sub requests Act on Tar], which
represents that Sub has sent a request to the policy enforcement point (PEP) or reference manager
to perform Act on Tar. We let the set of all [Sub requests Act on Tar] constants be Requests.
Fourthly, again for all Sub:Act:Tar Actions, there is a constant [Sub:Act:Tar is allowed], which
is used to mean that a request to the PEP from Sub to perform Act on Tar is granted. Let the set
of all these new constants be Pol. We refer to the members of Sys and Pol collectively as constants.
As (+ is our base language, we make it clear that using the notation normally employed for
(+ action descriptions,
f
= Fluents and
a
= Happenings Pol. Signatures of our language are
given by =
f

a
, as usually for (+.
3.2 System Models
In order to model the eects of actions on state variables and properties of systems, we write laws
of (+. The system representations are kept, as far as possible, distinct from the representations
of policies. For a signature (as given in Section 3.1), a system description is dened to be
an action description of the restricted version of (+ dened in Section 2, using as its signature
only
s
= Fluents Happenings: the policy action constants Pol are therefore excluded. System
descriptions are action descriptions of (+, with a little additional structuring of the underlying
signatures.
System descriptions, by themselves, represent domains in which there is no policy apparatus
in place to control the performance of actions. Accordingly, there is no gap between the request
for an action and that actions performance, and any action immediately produces its eects as
described in the causal laws of the action description.
For example, consider a very simple system, in which two user accounts left and right can read
a le le; when an account x reads the le, x:hasRead(le) becomes true. The system description,
A
S
1
, can be represented as in Table 1. Its transition system is shown in Figure 2. In the gure, we
have abbreviated uents left:hasRead(le) and right:hasRead(le) by l:hr and r:hr, and abbreviated
the actions (left:read:le) and (right:read:le) by l and r, all for the sake of readability.
It is often useful to have a logically separable representation of the way a system evolves, as
this enables one to reason more easily about the sets of conguration states the system supports.
Adding policies, and the representation of how they are implemented and enforced, does not aect
the set of possible states the system can be in, but only the transitions between those states, and
thus the possible histories of the system (where histories are conceived as runs through the resultant
labelled transition system). Thus if a reasoning task requires the ability to look merely at state
properties, then doing so on the bare system description and the transition system it denes could
be more clear. Further, bare system descriptions of the sort depicted in Figure 2 provide a starting
point for the design of policies: in they can be viewed as showing the most permissive policy
(without explicitly having the policy action constants), which allows every action requested, and
13
Sub = left, right
Act = read
Tar = le
Fluents = Ag:hasRead(le) [ Ag Sub
Actions = (Ag:read:le) [ Ag Sub
Events =
System Laws: Ag:hasRead(le) after (Ag:read:le) (Ag Sub)
inertial F (F Fluents)
exogenous A (A Actions)
Table 1: Simple action description A
S
1
l:hr,
r:hr
l:hr,
r:hr
l:hr,
r:hr
l:hr,
r:hr
r
l
l, r
r
l
l, r
r
l
l, r
l
r l, r
Figure 2: Transition system for system description A
S
1
.
permits requests at any time. Policy design then amounts to identifying the transitions considered
undesirable, and writing policies to exclude them.
3
3.3 Policies
Policies govern a system, consisting of the subjects and targets referred to in the policy, other
objects, and the properties of all. The properties of the system vary over time, as a consequence
both of the actions that are performed according to policies, and events occuring which do not
3
This idea is used later, when norms are brought in and their relations to policies studied.
14
fall within the policys scope. These system properties themselves determine the applicability of
a policy in a given state. Policies partially determine the way the system behaves: a request by a
subject to perform an action will be allowed or denied depending on what the authorization policies
imply, and thus certain system transitions are made possible, others not, by the authorization
policy being used. Obligation policies trigger requests for actions under stated conditions.
In order to represent the operation of policies, we try and stay close, in the structure of our
action descriptions, to the nature of the policy architecture we presuppose. This will perhaps come
more to the fore in Section 4, where we consider policy composition and enrich our language for
it, but the eects of staying close to policy architecture are felt here too.
A positive authorization rule has the form
permitted(Sub:Act:Tar) if G (7)
where Sub:Act:Tar Actions and G is a formula. The meaning is that where G is true, then Sub
is permitted, according to the policy, to perform Act on Tar. In the case where G is a conjunction
A F, with A a happening formula and F a uent formula, then the meaning is that if F is true
in a state, and the actions and events A occur, then Sub:Act:Tar is permitted. If G is , then the
rule may be written simply as
permitted(Sub:Act:Tar)
A negative authorization rule has the form
denied(Sub:Act:Tar) if G (8)
In other respects, the same things are true of negative as of positive authorization rules. Such
rules are intended to mean that when G is true, then the action Sub:Act:Tar is explicitly denied
by the policy.
An obligation rule has the form
obligation(Sub:Act:Tar) if G (9)
Conditions on abbreviations are as before; the meaning is, of course, that if F is true in a state
and A occur, then Sub:Act:Tar is obligatory: Sub must perform Act on Tar.
A set of positive authorization rules is a positive authorization policy; a set of negative autho-
rization rules is a negative authorization policy; a set of obligation rules is an obligation policy. If
a set has both positive and negative authorization rules, it is an authorization policy. A policy can
contain all three types of rule. Where confusion is unlikely to result, a single rule is also sometimes
referred to as a policy.
Policies are of little interest to us without an underlying description of the system they govern;
we therefore join policies to the system descriptions presented in the previous section. In doing
this, the assumption we made for system descriptions, that actions can be performed in any state
that the system supports them in, regardless of any other controls, must be abandoned: it is
precisely the function of a policy to provide additional control over the behaviour of the system.
This means that the relationship between actions, requests for actions, and the eects of
actions must be represented. We introduce the action constants [Sub:Act:Tar is allowed] and
[Sub requests Act on Tar], for all Sub:Act:Tar Actions, for this purpose. We also alter the
nature of system descriptions when they are yoked to policies: in action constraints A if G,
A may no longer contain members of Actions; it may contain, however, constants of the form
[Sub requests Act on Tar]and A may still contain members of Events. The removal of members
of Actions signals that whether or not an action, having form Sub:Act:Tar, is to be performed,
will now depend on the policy point; the allowance of [Sub requests Act on Tar] constants in the
heads of action constraints signals that whether or not a request for an action is made will not
depend directly on the policy system.
4
4
In some policy systems, such as Ponder2 [Damianou et al., 2001], making a request must also be allowed by a
policy. We could model such complication hereit is quite straightforwardbut have chosen not to.
15
Policies need one other kind of rule, aside from the authorization and obligation rules we have
introduced so far. This is to express the interface between PDP and PEP, and for this we use the
action constants [Sub:Act:Tar is allowed]. A policy description is a policy supplemented with a
set of allowance rules, which are action constraints of the form
[Sub:Act:Tar is allowed] if F (10)
where F conjoins atoms of constants permitted(Sub:Act:Tar) and denied(Sub:Act:Tar). For exam-
ple, a specic allowance rule might be
[Sub:Act:Tar is allowed] if permitted(Sub:Act:Tar) denied(Sub:Act:Tar)
The eect of this will be to allow any requests for an action Sub:Act:Tar that are both permitted
and not denied by the policy. When the semantics of policy descriptions is given, it will also be
clear that the logic of the system is such that the law
(Sub:Act:Tar) if [Sub:Act:Tar is allowed] [Sub requests Act on Tar] (11)
is implied. However, we do not include this explicitly in policies.
So far, we have been considering only the relationship of authorizations to the system; obliga-
tions are treated somewhat dierently. We believe that there two principle ways of using obligations
in policies. The rst is as statements of event-condition-action (ECA) rules, and the second is
as the cue for a monitoring system that takes action in response to the obligations fullment or
violation. In the rst case, we suppose the way the policy system enforces the obligation is by
triggering a request for the action; this request must then be authorized in just the same way as
an unprompted request by a subject within the system. In the second case, the action itself is
not prompted by the policy system, but depends on a request by a subject. However, laws can be
written that express the response to the violation or fullment of the obligation.
To allow for this in our policy descriptions, we do two things. The rst is to make a division,
in our signatures, between those actions which may be within the scope of an ECA rule, and
those which, when they are the subject of obligations, may only be monitored (the division does
not aect the expression of authorization policies). The intuition here is that some actions are
within the control of the policy system, and others are not, and may merely be monitored, with
the policy system taking action in response to the obligations status. This is the prupose of the
partioning of our set Actions as Actions
eca
Actions
reg
, where Actions
eca
and Actions
reg
are disjoint.
The semantics of our policy descriptions will be such that for all Sub:Act:Tar Actions
eca
, it is as
though the action constraint
[Sub requests Act on Tar] if obligation(Sub:Act:Tar) (12)
were present in the system description.
To model the fullment and violation of obligations, we have the following laws, whose presence
is felt semantically, but which are not included explicitly:
fullled(Sub:Act:Tar) if obligation(Sub:Act:Tar) (Sub:Act:Tar) (13)
violated(Sub:Act:Tar) if obligation(Sub:Act:Tar) (Sub:Act:Tar) (14)
For a Sub:Act:Tar Actions
reg
, the usual procedure will be to include obligation policies that
respond to its violation and fullment, where the obligation policy refers to actions Sub:Act:Tar
Actions
eca
. For instance, suppose there is an obligation on a user to release a lock on a password le
if there is an emergency status, but that the system cannot control whether the user does this or
not. If the user does not release the lock, the system will impose a punishment by putting the users
home directory into a red category. This can be represented as follows (we use abbreviations of
16
Boolean constants):
obligation(U:release:F) if U:isUser F:leType(passwd) F:hasLock=U emergency
obligation(system:putCat(red):D) if violated(U:release:F) U:isUser F:leType(passwd) (15)
F:hasLock=U emergency U:homeDir=D
permitted(system:putCat(red):D) if U:isUser U:homeDir=D (16)
[Sub:Act:Tar is allowed] if permitted(Sub:Act:Tar)
F:hasLock=f after (U:release:F)
D:hasCat(red) after (Sub:putCat(red):D)
The rst four laws are policies; the fth states that when a user releases the lock on a le, this
causes the user no longer to have the lock; the sixth states that a users home directory is put into
a red category when the system assigns it to that category. emergency is a member of Events.
Where U is the name of an account, and F a lename, we suppose (U:release:F) Actions
reg
,
but that (system:Act:Tar) Actions
eca
, for all Act and Tar such that (system:Act:Tar) Actions.
If, in a given state s, some user has a lock on a password le and an emergency is declared,
then that user is obliged to release the lockso that all transitions (s, e, s

) from s have e [=
obligation(U:release:F). Whether or not the user makes the release will depend on two things: a
requests being made, and that requests being authorized, by an authorization policy also present
(obligations do not automatically include the authorization to satisfy them). Let us suppose the
user does not full the obligation: it is violated, and so e [= violated(U:release:F). In that case,
the other obligation is activated: that the system should put the users home directory in the
red category. Across the same transition (s, e, s

), we therefore have for Us directory D, that

e [= obligation(system:putCat(red):D). As this action is a member of Actions
eca
, the law
[system requests putCat(red) on D] if obligation(system:putCat(red):D)
will be present, and a request for change in categories will automatically be red, in the manner
of ECA rules, so that e [= [system requests putCat(red) on D]. Whether the change in categories
is made then depends on the presence of an authorization policy allowing it; in our case, we have
such a policy (16). The semantics therefore means that in the successor state s

in the transition
(s, e, s

), we must have s

[= D:hasCat(red).
Note that, as system:Act:Tar) Actions
eca
, and emergency Events, the second policy (15)
has a structure that corresponds directly to the ECA rule (in a stereotypical syntax):
On : emergency
If : U:isUser F:leType(passwd) F:hasLock=U
violated(U:release:F) U:homeDir=U
Do : (system:putCat(red)):D)
In the domain being modelled, the sequence of events described above is shown in Figure 3.
The two states between which the system moves, s and s

, are shown at either end of a sequence

of actions and events. In our model, this sequence is compressed, and modelled as occurring over
a single transition in the labelled transition system dened by the policy description. This greater
abstraction and concision in the graphical depiction of systems does not alter the logic of policy
decisions or the eects of actions.
It is worth stressing again that a policy decisiona positive or negative authorization, or an
obligationin a given state can depend on the other actions that are performed in that state.
This is somewhat unusual. For example, consider a computer system where two user accounts
exist, left and right. Files (to keep it simple, we suppose there is just one, le) may be accessed at
a given time by one or other user, but not simultaneously by both. This can be expressed in the
action description shown in Table 2, the transition system for which is shown in Figure 4. Certain
abbreviations have been made when representing elements of the signature: left and right are l
17
s

s
U:isUser
F:leType(passwd)
F:hasLock=U
U:homeDir=D
D:hasCat(red)
emergency obl(U:release:F) (U:release:F) violated(U:release:F)
obl(system:putCat(red):D)
[system: requests putCat(red) on D]
perm(system:putCat(red):D)
[system:putCat(red):D is allowed]
(system:putCat(red):D)
U:isUser
F:leType(passwd)
F:hasLock=U
U:homeDir=U
D:hasCat(red)
Figure 3: Domain ow diagram for release lock example
Sub = left, right
Act = read
Tar = le
Fluents = Ag:hasRead(le) [ Ag Sub
System Laws: Ag:hasRead(le) after (Ag:read:le) (Ag Sub)
inertial F (F Fluents)
Policies: permitted(Ag:read:le) if (Ag

:read:le) (Ag, Ag

Sub : Ag ,= Ag

)
[Sub:Act:Tar is allowed] if permitted(Sub:Act:Tar) [Sub requests Act on Tar]
Table 2: Simple policy description A
1
for our language
and r; le has been removed, as there is only one such le; read has also been removed, as it is the
only act; requests by left to perform a read on le are depicted as l:reqand similarly for the other
policy-related actions and the other agent. Note that we have not yet described how to generate
the sort of transition systems depicted in Figure 4; that will be shown soon.
Policy description A
1
in eect exhibits a kind of circular dependency in the logic of its policy:
for left to be permitted, right must not be doing; right does if it is allowed; right is allowed if it is
permitted; it is permitted if left does not do; left does if it is permitted. It is a particular feature
of the semantics of (+ and of the semantics of the causal theories on which (+ depends, that such
circular dependencies in causal laws can exist without removing the possibility of nding models
for them. This fact enables us to write policies that have much more direct circular dependencies:
a policy that permits Romulus to go to Rome if Remus is not permitted to go to Rome, and
permits Remus to go to Rome if Romulus is not permitted, is easy to support. In many policy
languages, and evaluation frameworks, policies that have such cycles through negation cannot be
18
l:hr,
r:hr
l:hr,
r:hr
l:hr,
r:hr
l:hr,
r:hr
l:perm,
r:perm
r:req, r:perm
r:allow, r
l:req, r:req
r:perm, r:allow, r
l:req, l:perm
l:allow, l
l:req, r:req
l:perm, l:allow, l
l:perm,
r:perm
l:req, l:perm
l:allow, l
l:perm,
r:perm
r:req, r:perm
r:allow, r
l:perm,
r:perm
r:req, r:perm
r:allow, r
l:req, r:req
r:perm, r:allow, r
l:req, l:perm
l:allow, l
r:req, l:req
l:perm, l:allow, l
l:req, r:req, r:perm
r:allow, r
r:req.r:perm
r:allow, r
r:req, l:req
l:perm, l:allow, l
l:req.l:perm
l:allow, l
Figure 4: Transition system for action description in Table 2
supported, and result in failure.
In many treatments of deontic logic, there is a close relationship between permission and
obligation; one is frequently dened in terms of the other, so that an obligation to do a is dened
as the lack of permission to do aor a permission to do a as the lack of an obligation to do
a. Research on norm-governed systems of agents, drawing as it does more on deontic logic as
a branch of modal logic, has often inherited this relationship. In research into the policy-based
management of distributed systems, in contrast, the modalities are usually more separate. This
is partly because of the particular operational focus of that work. Authorization policies then
guide whether or not a request results in the execution of an action. Obligation policies can be
understood as event-condition-action rules, in the presence and applicability of which an action
is automatically attempted. (Alternatively, obligations can be seen as conditions attached to the
award of authorizations.) Where obligations are interpreted as event-condition-action rules, it may
be necessary for the action that is red to have an associated permission.
In the current paper, the modalities are also kept distinctwe do not follow the tradition of
deontic logic that strongly relates them. We take them to be similar to event-condition-action
rules, in that where the body of an obligation policy rule is true, this automatically res a request
for the action referred to in the head to be performed.
3.4 Semantics for policy descriptions
The semantics for policy descriptions is given in terms of labelled transition systems. This can
be done directly, by dening how to each policy action description a labelled transition system
corresponds, or indirectly, by showing how to translate policy action descriptions of our language
into (+ proper, and then noting that, of course, every action description of (+ denes a labelled
transition system. Theorems then demonstrate that the transition systems dened by the indirect
and the direct methods are the same.
We rst show how to construct labelled transition systems for our policy descriptions.
19
Recall that for policy descriptions P with signature ,
=
f

a

f
= Fluents

a
= Happenings Pol
a
Happenings = Actions Events
We need a preliminary denition, for a modied version A

(s, e) of A(s, e) rst found in Deni-

tion 2.
Denition 12 Let P be a policy description, with signature . Then
A

P
(s, e) =
A
P
(s, e)
c=f [ c Actions, e [= c=f
c=v [ c Requests, v dom(c), e [= c=v
(Sub:Act:Tar) [ e [= [Sub:Act:Tar is allowed] [Sub requests Act on Tar]
(Sub:Act:Tar)=f [ e ,[= [Sub:Act:Tar is allowed] [Sub requests Act on Tar]
[Sub requests Act on Tar] [ e [= obligation(Sub:Act:Tar) Sub:Act:Tar Actions
eca

[Sub requests Act on Tar]=f [ e ,[= obligation(Sub:Act:Tar) Sub:Act:Tar Actions

eca

fullled(Sub:Act:Tar) [ e [= obligation(Sub:Act:Tar) Sub:Act:Tar

fullled(Sub:Act:Tar)=f [ e ,[= obligation(Sub:Act:Tar) Sub:Act:Tar
violated(Sub:Act:Tar) [ e [= obligation(Sub:Act:Tar) Sub:Act:Tar
violated(Sub:Act:Tar)=f [ e ,[= obligation(Sub:Act:Tar) Sub:Act:Tar
This provides the set of action constants that are caused to be true over the transition (s, e, s

).
We can now dene the labelled transitions formed from policy descriptions.
Denition 13 Let P be a policy description with signature . The labelled transition system
dened by P is a triple (S, L, R). S, the set of states, is given as in Denition 3: it is the set of
interpretations s of Fluents (i.e.,
f
) such that
s = s

I(
f
) [ s

[= T
static
(s) Simple(s).
L, the set of labels, is simply I(
a
), the set of interpretations of the action constantsincluding the
policy constants. Finally, R is the set of transitions (s, e, s

), where we dene this anew. (s, e, s

)
is a transition of P i s is a state, and
e = e

I(
a
) [ e

[= A

P
(s, e);
s

= s

I(
f
) [ s

[= T
static
(s

) E(s, e, s

).
As well as this direct semantics for policy descriptions, which shows how labelled transition
systems are dened by sets of policies and causal laws, it is possible to translate policy descriptions
into (+ action descriptions. This makes it possible to use existing implementations that calculate
models of (+ action descriptions, such as iCCalc, to work with our policy descriptions, and
answer queries about them.
Denition 14 Let P be a policy description with signature . The corresponding (+ action
description D
P
has the same signature as P, and all its causal laws. It also has the additional
laws:
exogenous [Sub requests Act on Tar]
20
for all Sub:Act:Tar Actions;
default (Sub:Act:Tar)
default permitted(Sub:Act:Tar)
default denied(Sub:Act:Tar)
default obligation(Sub:Act:Tar)
default fullled(Sub:Act:Tar)
default violated(Sub:Act:Tar)
default [Sub:Act:Tar is allowed]
for all Sub:Act:Tar Actions;
(Sub:Act:Tar) if [Sub:Act:Tar is allowed] [Sub requests Act on Tar]
fullled(Sub:Act:Tar) if obligation(Sub:Act:Tar) (Sub:Act:Tar)
violated(Sub:Act:Tar) if obligation(Sub:Act:Tar) (Sub:Act:Tar)
for all Sub:Act:Tar Actions; and
[Sub requests Act on Tar] if obligation(Sub:Act:Tar)
for all Sub:Act:Tar Actions
eca
.
This denition corresponds closely to the augmentations of the set A
P
(s, e) introduced in Deni-
tion 12. The following proposition shows that the direct labelled transition system semantics of
that denition match those determined by the (+ translation given above.
Proposition 15 Let P be a policy description, with signature . The labelled transition system
dened by P according to Denition 13 is the same as the labelled transition system dened by
the (+ action description D
P
, where D
P
is as given in Denition 14.
Proof: Let (S
P
, L
P
, R
P
) and (S
D
P
, L
D
P
, R
D
P
) be the two transition systems. We clearly have
S
P
= S
D
P
and L
P
= L
D
P
; we need to check whether the transitions are the same. We need to
show that for all (s, e, s

), A

P
(s, e) = A
D
P
(s, e). First, we show A

P
(s, e) A
D
P
(s, e). Clearly
A
P
(s, e) A
D
P
(s, e), so assume c=v is in one of the additional sets added in A

P
(s, e), i.e. c=v
is in A

P
(s, e) A
D
P
(s, e). A case analysis based on the additional laws of D
P
and the sets of
A

P
(s, e) A
D
P
(s, e) then shows that c=v A
D
P
(s, e). The proof in the other direction proceeds
similarly.
4 Policy composition
Thus far, we have grouped authorization and obligation rules together into a single set, conceived
of as existing at a single, centralized policy point. The set of policies has no internal structure.
Many common policy frameworks, however, allow multiple set of rules, the decisions of which
are combined in reaching an overall decision for the family of sets. The ways in which the sub-
decisions are combined can either be user-dened, or are xed by the specic framework being used
to evaluate the policies. XACML, for example, has a small number of simple policy combination
rules, which can state whether a deny overrides a permit. Another way of putting this is to say
that the positive authorization rules form a set P
+
, the negative rules form P

, and P

always
takes precedence over P
+
. In our previous work [Craven et al., 2009], we allowed such precedence
rules to be much more context-dependentwith a rich notion of context embracing policy and
system history, constraints, and properties of subjects, actions and targetsbut without making
any kind of logical separation of policies into dierent sets.
Recent work on policy composition has taken an algebraic approach, allowing names for sets
of policies in a policy language, and composition operators for their combination. We have been
21
particularly interested in the papers [Bruns et al., 2007], [Bruns and Huth, 2008], [Ni et al., 2009]
and [Li et al., 2009]. The semantics of policy composition is greatly claried in this research, and
we wish to make use of it, in several ways, here. The main dierence between the approaches
of the rst two papers, from one set of authors, and the second two papers, from another, is in
the multiplicity of policy decisions their frameworks allow, and the resultant expressivity of the
languages. In the rst two papers, a four-valued logic, that of [Belnap, 1977], is used to express
policy evaluations. A decision is a member of the set p, d, u, c,
5
where p represents a permitted
access, d a denial, u an undened decision (neither p or d), and c a conict (both p and d). The
value u, can be taken to apply in several dierent situations: rst, where there is no rule in a
given policy set that applies to a request, and secondly, if there is an error in the evaluation of a
condition of a policy, so that it is unknown what the decision would be. The value c is used to
expression the result of using both of two sub-policies, one of which evaluates an access request to
p and the other to d.
That the u value serves this dual purpose just mentioned is one of the motivations behind the
work of the two related papers [Ni et al., 2009] and [Li et al., 2009]; they enrich the values of the
policy logic in slightly dierent, though related ways. They use non-singleton, non-empty subsets
of policy evaluation values for representing indeterminacy resulting from errors in the results of a
policy evaluation. The underlying policy values of [Li et al., 2009] are p, d, n/a and in. However,
policy evaluations in the algebra are formed of subsets of these values. With respect to a given
policy, p represents an access request which is permitted by that policy, d an access that is
denied, and n/a a request to which the policy is not applicable. We will discuss in in a moment.
A value such as p, n/a is used by the authors in the presence of an evaluation error during a
request. For example, if a policy p
1
has only the rule
permitted(Sub:read:F) if Sub:isUser F:leType(passwd)
then if the database holding information about which groups Sub belongs to is corrupt, or in-
accessible owing to network problems, at the time of the request of some specic Sub, then the
PDP does not know whether Sub:isUser is true or not. This means that the PDP does not know
whether the rule is inapplicable (n/a), or would grant access (p). The uncertainty, a consequence
of error, can be modelled as the value p, n/a. The set d, n/a represents the analagous situation
for a negative authorization rule.
Algebraic operators on policies are dened by pointwise extension of operators over the values;
for instance, if a policy p
1
evaluates an access request [Sub requests Act on Tar] to p, and
p
2
evaluates it to d, then a deny overrides policy combination would evaluate to d, whereas
a permit overrides would evaluate to p. In some situations, however, it is desirable that
conict between two such sub-policies p
1
and p
2
should not be removed on combination. This is
particularly the case when the policy combining them is not the top level of policy in the PDP,
whose values are used by the PEP in deciding whether to grant an access. Where one wishes to
retain a representation of conict, the value in can be used; this is one of its functions. The
other is in the case where a policy evaluation error has occured in a policy p (such as p, n/a),
but one does not wish to expose the occurrence of this error to a policy r dened using p. In such
a case, it would be possible to dene an intermediate policy q, which takes an such error value of
p and transforms it to in.
The value is used where there are no policy rules in a policy; this is distinguished from
n/a, in which policy rules exist but none is applicable. The values not mentionedp, d, in,
for instanceare used when combinations are made of policies whose evaluations are uncertain,
propagating and adding to the uncertainty.
It is clear that, if one were to use the value in only in the rst of the two functions assigned
to it in [Li et al., 2009]that of representing conictand use p, d, n/a and in as the values for
policies rather than the subsets of them, then the result would be in all essentials the same as
the approach, based on Belnap logic, of [Bruns et al., 2007]. We therefore see the main expressive
dierence between the two approaches as being whether or not they allow the explicit depiction
5
We use p for permit, instead of their g for grant.
22
of failures and errors in the evaluation process. Which policy composition framework we should
adopt will then depend on whether such errors are ones we want to represent, and reason about,
during policy analysis and renement. In the current work, we are interested in such errors
only when they spring from policy-related processes. For example, if policies are distributed
between dierent organizations, and the information relevant to policy evaluation spread between
dierent sites, then if an organization denies access to retrieve a given credential, this is something
we would wish to model. A communications failure in contacting the distant site, though it
does aect policy decisions, is not itself policy-based, and we would not wish to model it. This
means that a four-valued approach is appropriate in the centralized case, where all policies and
information is presumed to be accessible; but in the distributed case, if it is deemed important to
model communication and policy decision failures at dierent sites, then the richer composition
semantics using subsets can be adopted. At the moment, we are only considering the centralized
case, and so we will use Belnap logic, and the composition operators of [Bruns et al., 2007]. Later
on, we will change to the richer framework.
For the moment, we deal with policies consisting only of authorization rules; remarks on the
composition of obligation policies are made in Section 8. The language that we introduce in the
following section is called p(+.
4.1 Language and semantics
In PBel, the policy algebra based on Belnap logic introduced in [Bruns et al., 2007], single policy
rules are the atoms of the composition process. We will alter the approach to allow for sets,
composed of only positive authorization policies, or only of negative authorization policies. (This
can be translated into their approach straightforwardly.) So, we assume a set PolicyNames =
p
1
, . . . , p
n
of policy names. The syntax of authorization rules is changed, to show that each such
rule is a member of a named set of policies. Thus, a positive authorization rule has the form
permitted(p, Sub:Act:Tar) if G (17)
and a negative authorization rule has the form
denied(p, Sub:Act:Tar) if G (18)
where p PolicyNames.
We will wish to be able to make use of the basic operations over the Belnap space dened in
[Bruns et al., 2007]. To be clear about the nature of these operations, it is useful to visualize the
bilattice of values. The relationship between them can be shown as in Figure 5. The bilattice has
two orderings. The truth ordering, which in its application to policies is better thought of as a
permission ordering, is marked t in Figure 5. Its least element is d and its greatest is p, with n/a
and in being non-comparable. The information ordering, marked k in the diagram, has n/a as its
least element, with in its greatest.
Basic operations over these values are dened; the binary operations are familiar from lattice
theory. The operators are , , for the permission ordering, and , and for the knowledge
ordering; in both cases, they are respectively a meet, join, and complement operation. We provide
the meanings in Table 3, in order to make later denitions clearer. The order of operands is given
alphabetically; the operators are commutative. The operations are lifted from their application to
policy values to policies; this means, for example, that if two of our policy names are p
1
and p
2
(i.e. p
1
, p
2
PolicyNames), and a given access request is evaluated to p by p
1
, but to n/a by p
2
,
then the policy p
1
p
2
would evaluate to n/a; p
1
p
2
would evaluate to p; and so on.
In addition to the positive and negative authorization rules as dened above in (17) and (18),
two other sorts of expression are added to our language. A policy composition rule has the form
policy P is P

(19)
where P is a policy index, and P

is a policy composition. Policy compositions have their syntax

dened by the Backus-Naur form:
P ::= p [ P
1
P
2
[ P
1
P
2
[ P [ P
1
P
2
[ P
1
P
2
[ P (20)
23
in
d
p
n/a
t
k
Figure 5: Belnap bilattice for PBel policy decisions
d in = d d = p d in = d
d n/a = d in = in d n/a = n/a
d p = d n/a = n/a d p = n/a
in n/a = d p = d in n/a = n/a
in p = in d = d in p = p
n/a p = n/a in = n/a n/a p = n/a
X X = X n/a = in X X = X
d in = in p = p d in = in
d n/a = n/a d n/a = d
d p = p d p = in
in n/a = p in n/a = in
in p = p in p = in
n/a p = p n/a p = p
X X = X X X = X
Table 3: Meanings of basic policy operators
where p ranges over policy indices. Finally, for each policy description a single top policy designator
is required, which is a statement of the form
policy P is top (21)
where P is a policy index. This selects P as the top policy: the one whose decisions are used by
the PDP to respond to requests passed from the PEP.
For the semantics, we show how policy descriptions of the new form dene labelled transition
systems, and also how they can be translated directly into (+. This mirrors exactly the two routes,
represented by Denitions 13 and 14, that we earlier gave for semantics of policy descriptions
without composition. We rst dene the new policy descriptions.
24
Denition 16 A composed policy description P of signature has the same form of signature as
dened in Section 3.1, with the following exceptions. A xed set of policy indices is added; these
are divided into basic and non-basic indices. The basic policy indices are further divided into those
which are positive and those which are negative. permitted(Sub:Act:Tar) and denied(Sub:Act:Tar)
constants are removed, and replaced with action constants permitted(p, Sub:Act:Tar) for p which
are positive basic, and denied(p, Sub:Act:Tar) for p which are negative basic, for all Sub:Act:Tar
Actions. P has the same form of system model as (non-composed) policy descriptions. In addition,
it has authorization rules, policy composition rules, and a top policy designator, as described in the
current section. We insist that if some policy index p

appears in the head of a permitted (respec-

tively denied) authorization rule, then all rules having p

in their head are permitted (respectively

denied) rules, and p

must be a positive (respectively, negative) basic policy index. Basic policy

indices may not appear in the left-hand-sides of policy composition rules, i.e. in the P position of
a rule policy P is P

. Further, any non-basic policy index appearing in a composed policy de-

scription P must appear on the left-hand-side of precisely one policy composition rule. Obligation
policy rules have the same structure as previously.
In order to say how labelled transition systems are dened by such composed policy descriptions,
we need a subsidiary denition, updating that for A
P
(s, e) (Denition 12).
Denition 17 Let P be a composed policy description, with siganture . Let the policy p

be
desiganted as top in Pso the rule
policy p

is top
is in P. Where s is an interpretation of
f
and e is an interpretation of
a
, then
A

P
(s, e) = A
P
(s, e) [Sub:Act:Tar is allowed] [ (Sub:Act:Tar), (s, e) [=
p

p
[Sub:Act:Tar is allowed]=f [ (Sub:Act:Tar), (s, e) ,[=
p

p
It remains to dene the relationship [=
p
, where p is a policy index. This is done recursively,
depending on which p is used.
(Sub:Act:Tar), (s, e) [=
p
p if p is basic and e [= permitted(Sub:Act:Tar)
(Sub:Act:Tar), (s, e) [=
p
d if p is basic and e [= denied(Sub:Act:Tar)
(Sub:Act:Tar), (s, e) [=
p
n/a if p is basic and e ,[= permitted(Sub:Act:Tar) denied(Sub:Act:Tar)
(Sub:Act:Tar), (s, e) [=
p
x if p is not basic and p is f(p
1
, . . . , p
n
) P
and i(1 i n (Sub:Act:Tar), (s, e) [=
p
i
x
i
)
and x = f(x
1
, . . . , x
n
).
In the nal clause of this denition, the denitions of the operators , , , , and as they
apply to policy values are applied recursively, to give the value f(x
1
, . . . , x
n
). Constraints placed
on the occurrence of policy indices in composed policy descriptions, according to Denition 16,
ensure that Denition 17 is well-formed.
Denition 18 Let P be a composed policy description of signature . The labelled transition
system dened by P is the triple (S, L, R). S, the set of states, is given as usually, as the interpre-
tations s of Fluents such that:
s = s

I(
f
) [ s

[= T
static
(s) Simple(s). (22)
L, the set of labels, is simply I(
a
), the set of interpretations of the action constantsincluding the
policy constants. Finally, R is the set of transitions (s, e, s

), where we dene this anew. (s, e, s

)
is a transition of P i s is a state, and
e = e

I(
a
) [ e

[= A

P
(s, e);
25
s

= s

I(
f
) [ s

[= T
static
(s

) E(s, e, s

).
Translating composed policy descriptions into (+ requires that we alter the signatures, adding
constants that are used to represent the values of decisions for each policy index.
Denition 19 Let P be a composed policy description, with signature . For each p which
is a policy index in P and each action constant of the form (Sub:Act:Tar), add a multi-valued
action constant pdp(p, Sub:Act:Tar) to the signature ; the domain of each new constant is the
set p, d, in, n/a. The new constants will represent what values a request for Sub:Act:Tar would
take, according to policy p, as dened by the authorization rules and policy composition rules of
P. Let the new signature be

. The (+ action description corresponding to P, C

P
, has all causal
laws as dened in Denition 14 for the action descriptions corresponding to (non-composed) policy
descriptions, with the exception of the laws
default permitted(Sub:Act:Tar) and default denied(Sub:Act:Tar)
for Sub:Act:Tar Actions; these are no longer needed as the form of authorization rules is dierent.
Instead of them, we include
default permitted(p, Sub:Act:Tar)
for all positive basic p and Sub:Act:Tar Actions, and
default denied(p, Sub:Act:Tar)
for all negative basic p and Sub:Act:Tar Actions. For any positive authorization rule
permitted(p, Sub:Act:Tar) if G
in P, we include a rule
pdp(p, Sub:Act:Tar)=p if permitted(p, Sub:Act:Tar)
in C
P
; for all negative authorization rules
denied(p, Sub:Act:Tar) if G
in P, we include a rule
pdp(p, Sub:Act:Tar)=d if denied(p, Sub:Act:Tar)
in C
P
. For any basic index p and Sub:Act:Tar Actions we also include the rule
default pdp(p, Sub:Act:Tar)=n/a
in C
P
. This models the semantics of authorization rules, and the policies which contain them, in
(+. We must now consider the policies dened as compositions of other policies. Each composition
rule
p is P

in P has as its right-hand-side a function of other policy indices; P

can be written f(p

1
, . . . , p
n
),
where p
1
, . . . , p
n
are the policy indices appearing in P

. For any composition rule p is f(p

1
, . . . , p
n
),
we add to C
P
the set of laws
pdp(p, Sub:Act:Tar)=x if pdp(p
1
, Sub:Act:Tar)=x
1
pdp(p
n
, Sub:Act:Tar)=x
n
such that x
1
, . . . , x
n
p, d, in, n/a, and x = f(x
1
, . . . , x
n
). Where
policy p is top
26
is in P, we also include the laws
[Sub:Act:Tar is allowed] if pdp(p, Sub:Act:Tar)=p
[Sub:Act:Tar is allowed]=f if pdp(p, Sub:Act:Tar)=d
[Sub:Act:Tar is allowed]=f if pdp(p, Sub:Act:Tar)=in
[Sub:Act:Tar is allowed]=f if pdp(p, Sub:Act:Tar)=n/a
in C
P
.
A similar proposition to 15 may now be stated.
Proposition 20 Let P be a composed policy description. Let the labelled transition system given
by Denition 18 be (S, L, R). Let the LTS given by by the (+ action description corresponding
to P, according to Denition 19, be (S

, L

, R

). Dene
L

= e

[ e L

, e

is e, restricted to the signature of P

R

= (s, e

, s

) [ (s, e, s

) R

, e

is e restricted to the signature of P

(The restrictions to the signature of P remove reference to the new constants pdp(p, Sub:Act:Tar).)
Then, the labelled transition systems (S, L, R) and (S

, L

, R

) are equal.
Proof: We clearly have S = S

and L = L

; we need to show that R = R

. This essence of this

is a straightforward proof by structural induction over the denition of the top policy. (Details
omitted.)
4.2 Example composition
We now consider a very simple example, showing how access control policies can be composed and
how the formulation in (+ allows us to answer queries about them, using the implementation in
iCCalc. The example domain is that of a library which has two categories of user: reader and
librarian. For the moment, we consider the case where only one user exists, borges, but make no
restrictions on the categories of user borges belongs to: there are therefore four possibilities. Users
of the library can read, or write to, the library catalogue; authorization policies will govern the
circumstances under which dierent categories of user may do this. We also model an action by
the library system of altering the contents of the catalogue; for the purposes of this example, we do
not treat this action as being governed by the policies. The action, system:alter:catalogue, can be
thought of as representing any alteration of the library catalogue: say, when a books ISBN number
is updated automatically from a central database. The consequence of this action is that borges
is no longer treated as having read the contents of the catalogue. We model the domain as shown
below in Table 4. The set PolicyNames contains four policy names: p

is the top policy used by

the PDP; l contains the rules governing access for librarians; r
w
contains a negative authorization
policy stating that readers may not write to the catalogue; and r
r
is the positive authorization
policy that readers may read the library catalogue.
What is missing from Table 4 is the policy-algebraic expression that denes p

in terms of
the non-basic policy names, l, r
w
and r
r
. A context for this is easily imagined: perhaps those
responsible for writing the policy for the library sta are dierent from those that set the policy
for its users, and the work of each has to be combined; or it may simply be natural to group the
rules together into such sub-policies. In either case, the sets must be combined.
Let us rst consider the following composition:
policy p

is l (r
w
r
r
) (23)
This is a simple-minded combination: as Table 3 makes clear, the result of -ing a permitted
decision with a not-applicable decision is not-permittedso that where borges is a librarian but
not a reader, then because r
r
and r
w
are not applicable, p

is evaluated to n/a, in spite of the

permission that, one feels, policy l should contribute to be overriding.
27
Sub = borges
Act = read, write
Tar = catalogue
Fluents = borges:hasRead(catalogue), borges:hasWritten(catalogue),
borges:userType(reader), borges:userType(librarian)
Actions
eca
=
Actions
reg
= (borges:Act:catalogue) [ Act Act
Events = system:alter:catalogue
PolicyNames = p

, l, r
w
, r
r

System Laws: borges:hasRead(catalogue) after borges:read:catalogue

borges:hasWritten(catalogue) after borges:write:catalogue
(borges:hasRead(catalogue)) after system:alter:catalogue
inertial F [ F Fluents
exogenous system:alter:catalogue
Policies: permitted(l, (borges:write:catalogue)) if borges:userType(librarian)
permitted(l, (borges:read:catalogue)) if borges:userType(librarian)
denied(r
w
, (borges:write:catalogue)) if borges:userType(reader)
permitted(r
r
, (borges:read:catalogue)) if borges:userType(reader)
policy p

is top
Table 4: Basic elements of the policy description for library example.
This idea of policies being overriding promotes the introduction of another policy operator,
>, taken from [Bruns et al., 2007]. Where q
1
and q
2
are policy names, then q
1
> q
2
is the policy
which evaluates to q
1
if q
1
is the value of q
1
, unless q
1
evaluates to n/a, in which case the value of
q
1
> q
2
is q
2
. X > Y is dened as
X (((X (X))) Y ).
As a correction of the rst proposal, the top policy could be dened in the following way:
policy p

is l > (r
w
> r
r
) (24)
This means that l trumps all other policies: whenever borges is a librarian, then requests both to
write to the catalogue and to read it are allowed. If l does not apply (borges is not a librarian),
then (r
w
> r
r
) is used to evaluate requests. This means that, if borges is a reader, then a request
to write to the catalogue would be denied; a request to read the catalogue would be allowed.
All other combinations of requests and circumstances (in this case, user possessions by borges)
of user categories result in a n/a decision by p

; the semantics of how the PDP interacts with the

top policy means that such requests are not allowed. In particular, if borges is neither librarian
nor user, then he may neither write to, or read, the catalogue.
The analysis of composed policies will be treated more fully in Section 6, where we give more
detailed examples and show how the tool iCCalc is designed to support queries.
28
5 Norms
5.1 Syntax and Semantics
In [Craven and Sergot, 2008], changes were made to the language and semantics of (+ in order to
allow the representation of normative features of agents and institutions; the resulting language
was called n(+. Semantically, n(+ introduces two sorts of classication on states or transitions.
First, states and transitions are either green or red: where a green state (or transition) is one
considered acceptable, or compliant with the norms governing the system being modelled; and a
red state (or transition) is one which violates those norms, by being immoral, unethical, illegal,
rude, bad, or against the norms in some other way. The green states might be thought of as those
where the system is functioning well, the red states where something has gone wrong, in the sense
of contravening norms. According to this coarse-grained classication, states and transitions as a
whole are coloured: there is no scope for singling out the individual normative status of a given
agents contribution to the state or transition. There need be no relationship between the ways
states and transitions are coloured, with the excpetion of what [Craven and Sergot, 2008] calls
the green-green-green constraint (ggg): if the system is in a green state, and performs a green
transition, then all resulting states must be green. This constraint makes concrete the intuition
that if things are going well, and nothing bad happens, then everything is still going well.
Recall Denitions 1 and 4: a transition system for (+ has the structure (S, A, R). To classify
states and transitions as red and green, we add S
grn
and R
grn
, where S
grn
S is the set of
green system states, and R
grn
R is the set of green transitions. Dependently, we also dene
S
red
= S S
grn
and R
red
= RR
grn
. Two new categories of causal law are then added to (+, to
determine which category states and transitions shall belong to. A state permission law has the
form
not-permitted F (25)
where F is a uent formula; and an action permission law has the form
not-permitted A if G (26)
where A is an action formula and G is a formula. The meaning of (25) is that where s S, then
if s [= F, then s S
red
; but states are green (s S
grn
) by default. Similarly, the meaning of a
law (26) is that if some transition (s, e, s

) R is such that s e [= G A, then (s, e, s

) R
red
;
transitions too are green ((s, e, s

) R
grn
) by default. Note that state and action permission
laws, if present in an action description D, do not alter the structure or nature of the labelled
transition systems: they are not used in the denision of S and R, only in classifying the states and
transitions normatively. Using this formal apparatus, the green-green-green constraint (henceforth,
), requires that when s S
grn
and e R
red
, then s

S
red
.
(There is a certain regrettable overlap in terminology here, that might be confusing to some-
body new to the various languages and concepts presented. Specically, the use of not-permitted
to indicate normative status might be confused with the idea of permission as this features in
policies, and the policy language we introduced in Sections 3 and 4. They are distinct. We stress
again that norms are higher-level, abstract classications of what is deemed to be good or bad
behaviour and properties in a system, but which do not in themselves determine how the bits of
system can act. Policies are typically lower-level, and through the presence of a PDP and PEP
a policy management componentthey do control what can be done in a system. Policies are
modelled in such a way that changes in policies mean a change in the structure of the labelled
transition systems used to depict the domains behaviour.)
As mentioned above, this classication is of states and transitions as a whole: there is no sense
of whether an individual agents contribution to a state or transition is good or badwhether
some specic agent conforms to the norms governing it, or not. Yet clearly this is desirable, so
n(+ also adds features that pick out an individual agents contribution to a transition, and allow
that contribution also to be classied. The full form of labelled transition systems for n(+ can
now be dened.
29
Denition 21 A coloured agent-stranded transition system is a tuple
(S, A, R, S
grn
, R
grn
, Ag, strand, green).
(S, A, R) is as given in Denition 1, and S
grn
S and R
grn
R are the sets of green states and
transitions. Ag is a set of agents. For ag Ag and e A, strand(ag, e), which we also write
as e
ag
, picks out ags contribution to the label eprecisely what this contribution is, we leave
open. Finally, green(ag), for each ag Ag, is the set of transitions that are green for ag (so,
green : Ag (R)).
As well as the state and action permission laws we have already introduced, n(+ also has
agent-specic permission laws, which have the form:
not-permitted(ag) A if G (27)
Here, ag must be in Ag, and as usual A is an action formula and G a formula. An action description
of n(+ is an action description of (+, which also may include laws of the form (25), (26) and (27).
Denition 22 Let D be an action description of n(+. The coloured agent-stranded transition
system (S, A, R, S
grn
, R
grn
, Ag, strand, green) determined by D has:
(S, A, R) is the (+ labelled transition system dened by D

, where D

is D without any
permission laws.
S
grn
= S S
red
, where S
red
is s S [ s [= F for some law (25) in D
R
grn
= R R
red
, where R
red
is
(s, e, s

) R [ s e [= A G for some (26) in D (s, e, s

) R [ s S
grn
, s

S
red

strand has domain Ag A.

green : Ag (R), and green(ag) = R red(ag), where red(x) is dened as
(s, e, s

) R [ s e [= A G for some law 27) in D

The paper [Craven and Sergot, 2008] provides fuller discussion of these denitions, and also con-
tains a reduction to the formalism of causal theories, similar to that for regular (+ action descrip-
tions given in Section 2.4.
n(+ and the language for algebraic combinations of policies in (+ we presented in Section 4
are dierent extensions of the basic language, and they can be combined. We call (+ with
cconstructions for policy composition p(+; if n(+ is also present, the result is np(+.
5.2 Example: Rooms
We here consider a variation of the rooms example presented in [Craven and Sergot, 2008]. The
domain is a suite of four rooms, arranged in a square; agents, who are male or female, can move
between rooms that adjoin. We will represent states in diagrams; Figure 6 shows a state in which
a man, m, is in the top-left room, and a woman, f, is in the lower-right room. As the arrangement
of rooms and doorways makes clear, agents can either move clockwise or anti-clockwise around the
suite. The example domain was originally designed with norm-governed agent systems in mind,
but it is easy to imagine that the agents in it are controlled centrally, and have their access to
rooms governed by a policy.
Before we present the siganture and system laws used to describe the domain, it is useful to
introduce a number of convenient expressions for representing the details of a particular arrange-
ment of rooms; this makes the expression of the causal laws simpler. So, for the four-room suite
30
m
f
Figure 6: State from the rooms example.
treated in the current example, we let Rooms = top left, top right, bot left, bot right; the variable
R, possibly with sub- and superscripts, will range over this set. Similarly, D and variations on it
will range over the two directions, anti and clock. When it is possible to exit R
1
in direction D
and arrive in R
2
, we denote this adj(D, R
1
, R
2
)so that in our example, the following are true:
adj(anti, top right, top left) adj(clock, top right, bot right)
adj(anti, top left, bot left) . . .
The basic action description of system laws is shown in Table 5. A simple uent constant A:loc,
for each agent A, is used to describe the agents location. We also use statically-determined uent
constants alone(A, A

) and alone(A), for agents A and A

, where A ,= A

, to represent whether
two agents are alone together in a room, or a single agent is alone in a room. These statically
determined uent constants are of use in the expression of policies and norms, later. The actions
are for an agent A to move in a given direction D, which we represent as A:move:D.
Causal law (28) describes the eects of a successful move by an agent. Law (29) means that
agents cannot request to move to non-adjacent rooms. Law (30) means that agents may not
simulatneously request to move to two dierent rooms. Law (31) means that two dierent agents
cannot move in the same direction through a doorway, and law (32) means that agents cannot
move in opposite directions through doorways: strait are the gates.
Let us suppose that a system designer wishes to impose some order on this non-normative,
ungoverned free-for-all. The basic norm to be adhered to is that men and women ought not to be
alone together in a room. In n(+, we can represent this using the state permission law
not-permitted alone(m, f) (33)
This has the desired eect of colouring red all states where the man m is in the same room as the
woman f; all other states are coloured green by the default which is standard in n(+. As there
are no action permission laws, the transitions are coloured green by default, with the exception
of all transitions from green states to states which, according to (33), are redthe ggg constraint
colours those transitions red. A fragment of the resulting transition system is shown in Figure 7.
The colour of the agents in a state represents the colouring determined by the state permission
m
f
m f
m:move:clockwise
m:move:anti
Figure 7: Fragment of transition system for the rooms example.
laws; transition colours are shown by the colour of the arrows and their labels.
31
Sub = m, f
Act = move:anti, move:clock
Tar =
tar

Fluents = A:loc [ A Sub (dom(A:loc) = Rooms)

SDFluents = alone(A), alone(A, A

) [ A, A

Sub, A ,= A
Actions
eca
= A:move:anti, A:move:clock [ A Sub
Actions
reg
=
Events =
System Laws: A:loc = R

after A:move:D A:loc=R [ A Sub, adj(D, R, R

) (28)
req(A:move:D) is non-executable if A:loc=R [ A Sub, Xadj(D, R, X)
(29)
req(A:move:D) req(A:move:D

) is non-executable [ A Sub, D ,= D

(30)
A:move:D A

:move:D is non-executable if A:loc=R A

:loc=R [ A ,= A

(31)
A:move:D A

move:D

is non-executable ifA:loc = R A

:loc=R

[ A ,= A

, D ,= D

, adj(D, R, R

) (32)
default alone(A, A

) if A:loc=R A

:loc=R [ A ,= A

alone(A, A

) if A:loc=R A

:loc=R

[ A ,= A

, R ,= R

alone(A, A

) if A:loc=R A

:loc=R A

:loc=R [ A ,= A

, A ,= A

, A

,= A

default alone(A)
alone(A) if A:loc=R A

:loc=R [ A ,= A

inertial F [ F Fluents
Table 5: Signature and system laws for the rooms example.
The norms that have coloured the states and transitions of this system in dierent ways rep-
resent a system-level authoritys perspective on what is desirable or undesirable in the system.
The policies are used to change the various components, agents, or subjects behaviour, and it is
natural that the objective should be to have policies in place that guarantee the achievement of the
normswhere achievement means that nothing bad ever happens: no redness is present. The poli-
cies can be imagined as being derived by the various agents themselves; or, in the case where the
agents are less autonomous, the policies might also be derived by a system-wide authority, either
the same as or dierent from the one who sets the norms. There are various dierent possibilities.
(The current work does not take into account the epistemic complications of derivation, or indeed,
how derivation of policies from norms is achieved: it only considers the ways of representing both,
and reasoning about their interactions.)
For a rst attempt at policies that are intended to achieve norm-compliance, consider those
set out in Table 6. The rst, positive authorization policy p
m
states that men are allowed to go
anywhere. The second states that men are not allowed to move clockwise into the top-left room
forbidding transitions where men move from the bottom-left to top-left. The third policy states
that women are allowed to go into any room where there is no man. The policy combination for
p

means that p
m-restrict
overrides p
m
.
Do these policies eliminate redness? It is rst important to note that there are several dierent
interpretations of that question for which the answer might be required. The most obvious is: do
32
PolicyNames = p

, p
m
, p
m-restrict
, p
f

Policies: permitted(p
m
, m:move:D) if m:loc=R (R

adj(D, R, R

))
denied(p
m-restrict
, m:move:clock) if m:loc=R (adj(clock, R, top left))
permitted(p
f
, f:move:D) if f:loc=R m:loc=R

(adj(D, R, R

))
policy p

is top
policy p

is (p
m-restrict
> p
m
) p
f
Table 6: Policy set (1) for the rooms.
the policies eliminate red transitions? Yet this is not the best way of understanding the question
of our interest, in policy authors, is in writing policies which prevent the system from entering
bad states and doing bad things, and also ensure that if the system does ever go wrong, then it
recovers. For, there may be green transitions from a red state to a redstate, and so the elimination
of red transitions may not guarantee that a system must always recover and move out of a red
state. So, a better interpretation of the question is: are there any transitions in the system to a
red state? This is what we shall answer.
The rst set of policies, in Table 6, clearly do a poor job. The transition shown in Figure 7
from left to right, is one to a red state; but this is not eliminated by the policies. To see this,
consider the fate of a request req(m:move:clock) when the system is in the state on the left. p
f
evaluates to n/a for this, p
m
of course evaluates to p, and p
m-restrict
evaluates to n/a, because its
condition amounts to if m:loc=bot right given the arrangement of the rooms in our example. p

is therefore whatever (n/a > p) n/a is evaluated to, and this is p. The request is thus allowed.
In fact, there are 26 transitions to red states under this policy set; if all requests were allowed,
then this number would only increase to 28, which shows that the policies are very unsuccessful
job in eliminating them. (The two which are eliminated are those where the man moves clockwise
into the top-left room: the rst where the woman is already there, the second where she moves in
simultaneously from the top-right.)
Let us have another attemptshown in Table 7. In set (2), we will add policies that mean the
PolicyNames = p

, p
m
, p
m-restrict
, p
f
, p
m-bar
, p
f-stay

Policies: permitted(p
m
, m:move:D) if m:loc=R (R

adj(D, R, R

))
denied(p
m-restrict
, m:move:clock) if m:loc=R (adj(clock, R, top left))
permitted(p
f
, f:move:D) if f:loc=R m:loc=R

(adj(D, R, R

))
denied(p
m-bar
, m:move:D) if m:loc=R f:loc=R

(adj(D, R, R

))
denied(p
f-stay
, f:move:D) if alone(f) f:loc=R
m:loc=R
x
m:loc=R
y
(adj(anti, R, R
x
), adj(clock, R, R
y
))
policy p

is top
policy p

is (p
m-bar
> p
m-restrict
> p
m
) (p
f-stay
> p
f
)
Table 7: Policy set (2) for the rooms.
33
man may not enter a room if there is somebody there, and also a policy requiring that if a woman
is alone and there is nobody in a room either side of her, then she must stay put. The intention
is that the second of these policies should guarantee that there are no meetings where a man and
woman enter the same room from dierent directions.
This attempt works much better. It eliminates all red transitions, and leaves only 5 transitions
to red states. When these transitions are examined, using a tool such as iCCalc, they are seen
all to be self-transitions. The policies have ensured that no red state is never entered from a green
state, but failed to ensure recovery. To do that, we can augment the policies to include several
obligations (the authorization policies remain the same). They require that, if a man and woman
are alone together, the man must move clockwise if he is allowed to; if they are alone and they
man is not allowed to move clockwise, then the woman must move anti-clockwise. The new policy
set in full is in Table 8. As is easy to check (and intuitively clear), this policy achieves what we
PolicyNames = p

, p
m
, p
m-restrict
, p
f
, p
m-bar
, p
f-stay

Policies: permitted(p
m
, m:move:D) if m:loc=R (R

adj(D, R, R

))
denied(p
m-restrict
, m:move:clock) if m:loc=R (adj(clock, R, top left))
permitted(p
f
, f:move:D) if f:loc=R m:loc=R

(adj(D, R, R

))
denied(p
m-bar
, m:move:D) if m:loc=R f:loc=R

(adj(D, R, R

))
denied(p
f-stay
, f:move:D) if alone(f) f:loc=R
m:loc=R
x
m:loc=R
y
(adj(anti, R, R
x
), adj(clock, R, R
y
))
obligation(m:move:clock) if alone(m, f) allow(m:move:clock)
obligation(f:move:anti) if alone(m, f) allow(m:move:clock)
policy p

is top
policy p

is (p
m-bar
> p
m-restrict
> p
m
) (p
f-stay
> p
f
)
Table 8: Policy set (3) for the rooms.
wanted: there are no transitions to red states. It does not rule out red states: but the only way a
red state can be part of a simulated run through the system is if such a state is the initial state of
the run. The actions of the various components of the system governed by policiesin our case,
the man and womanwill always ensure that any red initial state is immediately left behind, and
none is subsequently entered.
5.3 Extracting the System Component
We would like to be able to speak of the transition system dened by the system component
of an action description of p(+, n(+ or np(+this would model the eects of actions on non-
normative, non-policy features of the system, if policies and norms are removed. If we simply
remove from an action description D all policy laws and permission laws, however, we will still be
left with policy action constants, and some system laws may refer to those action constants. In
the rooms action description shown in Table 5, for example, the causal laws (29) and (30) both
use the action constant req(A:move:D). However, we can make two changes to action descriptions
involving policies or norms, which reveals the underlying system structure. (i) rst remove any
causal laws that use policy-related constants such as req(), permitted() and so on. Then make
action constants exogenous, by adding a causal law
exogenous a
34
for every a
a
. iCCalc can then be used to nd the transitions of the system, and visualize
them (see Section 6 for how this is done, and examples). Where D is an action description of p(+,
n(+ or np(+, let D

be the result of removing normative and policy elements, in this way.

An alternative way to see the basic underlying structure of the system is to retain the policy
constants, not add the exogeneity laws, but to replace any policies with the most permissive
policy p, which simply permit any request. This policy is shown in Table 9. Where D is an action
PolicyNames = p
Policies: permitted( p, A) [ A Actions
policy p is top
Table 9: The most permissive policy, p.
description of p(+, n(+ or np(+, let

D be the result of replacing the policy of D by p. This
means that all requests for action are allowed, and so the only constraints placed on which actions
may be performed are the physical constraints of the underlying system, together with causal
laws that determine when requests are made.
In the case of the action description in Table 5, for the rooms example, there is a desired
isomorphism between the transition system (S

, A

, R

) dened by D

and the transition system

dened by

D, which we can call (

S,

A,

R). They are not the same transition system, because
(

S,

A,

R) is dened over a signature that also includes policy action constants; but if one starts
with (

S,

A,

R) and removes all policy action constants, and bleaches states and transitions of their
norm-determined colourings, the result is (S

, A

, R

). We can now as two questions. Is this a

general resultdoes it hold for every transition system D of p(+, n(+ or np(+? Further, if it is
a general result, does that mean that

D and D

always reveals the underlying systems structure?

The answer to both questions is negative. First, let us consider the relationship between
(S

, A

, R

) and (

S,

A,

R), and consider the very simple action description shown in Table 10.
In this domain, because a request is automatically triggered when p is true, then removing all
causal laws in which policy-related constants occur will remove information that is essential to the
determination of the structure of (

S,

A,

R). In fact, (

S,

A,

R) has no transition from the state p
where a is not performed, whereas (S

, A

, R

) does have such a transition: all action constants

are made exogenous in it.
On the whole, it seems to us that the use of the most permissive policy p will enable a labelled
transition system that corresponds more closly to the intended underlying system behaviour to be
derived; but we leave this matter for further investigation.
6 Analysis Queries and Examples
In this section, we describe the sorts of analysis and simulation currently possible on our language
whether p(+ or np(+. First, the implementation we work with, iCCalc, is described.
6.1 Implementation
(+ was originally supported by (Calc,
6
written in Prolog. (Calc supports a wide range of query
tasks relating to (+ and the language of causal theories. A (+ action description D is written as
a Prolog source le, and (Calc then nds the completion of this, comp(
D
t
) for some run-length
t. A query Q is added, and the result is converted to conjunctive normal form (cnf), and sent to
6
See http://www.cs.utexas.edu/users/tag/cc/.
35
Sub = x
Act = a
Tar =
tar

Fluents = p
Actions
reg
= x:a
Events =
System Laws: inertial p
p after x:a
req(x:a) if p
PolicyNames = p

Policies: policy p

is top
permitted(p

, x:a)
Table 10: Simple policy description.
an externally implemented SAT-solver. Solutions represent runs of length t through the transition
system dened by D, that are consistent with the information of the query Q.
With Marek Sergot of Imperial College, the current author reimplemented (Calc, to add
support for a number of additional features. The result, iCCalc, some of the same core algorithms
as (Calc, but there are substantial additions and alterations, as follows.
The syntax for source les is changed: full Prolog can now be used in the denitions of
signatures and action descriptions, with features to use named variables as a shorthand.
This makes the specication of large domains much more convenient. (Calcs input syntax
was subject to an overly strict type-check: this has been removed.
There is a choice between using the SAT-solver clasp,
7
a state-of-the-art SAT-solver, or,
if SICStus-Prolog
8
is being used, of employing its built-in Boolean constraint satisfaction
library, clp(b), for query solution. Initial experiments indicate that clasp is much the best
option.
Several additions to the basic (+ language are fully-supported, including n(+, p(+ (the
language for policies presented in the current paper), and (+
timed
[Craven and Sergot, 2005].
Queries in the agentive modal logic LUCA [Sergot, 2008] are supported by an addition to
the code, such queries being evaluated over transition systems dened using (+ or one of its
extensions.
Full transition systems, and fragments of transition systems, can be written to an external
le and visualized using graphviz,
9
freely-available graph visuzlization software.
The code runs on many common variants of Prolog, including SICStus Prolog (versions 3
and 4), Yap Prolog
10
and SWI-Prolog
11
.
7
See http://www.cs.uni-potsdam.de/clasp/.
8
See http://www.sics.se/sicstus/.
9
See http://www.graphviz.org/.
10
See http://www.dcc.fc.up.pt/~vsc/Yap/.
11
See http://www.swi-prolog.org/.
36
The code for iCCalc is freely available from http://www.doc.ic.ac.uk/~rac101/iccalc/.
6.2 Query and Analysis Types
Recall the rooms example presented in Section 5.2. We will use this domain, with more variations
of its norms and policies, to illustrate the various kinds of analysis and reasoning task possible
over domains of (+ and extensions of that language for norms and policies. We will only consider
the sorts of queries currently supported within iCCalc; but as the action descriptions of members
of the family of langauges all dene labelled transition systems (sometimes coloured, sometimes
stranded), then of course many other kinds of query can be imagined. It is possible, for instance,
to use model-checkers to check various kinds of property over the transition system. Though these
possibilities are very interesting, we do not discuss them further in detail here.
In order to illustrate the kinds of query possible, we will use the action description for the
rooms example with a slight variations on policy set (2). The relevant system specications are
shown in Table 5. However, we will also add some agent-specic norms to the example, so that
the full strength of the representation, and all forms of query, can be shown. The full compliment
of norms and policies is shown in Table 11. There are two agents, and the state permission law
Agents = m, f
Norms: not-permitted alone(m, f)
not-permitted(m) m:move:clock m:move:anti if m:loc=R f:loc=R
PolicyNames = p

, p
m
, p
m-restrict
, p
f
, p
f-stay

Policies: permitted(p
m
, m:move:D) if m:loc=R (R

adj(D, R, R

))
denied(p
m-restrict
, m:move:clock) if m:loc=R (adj(clock, R, top left))
permitted(p
f
, f:move:D) if f:loc=R m:loc=R

(adj(D, R, R

))
denied(p
m-bar
, m:move:D) if m:loc=R f:loc=R

(adj(D, R, R

))
denied(p
f-stay
, f:move:D) if alone(f) f:loc=R
m:loc=R
x
m:loc=R
y
(adj(anti, R, R
x
), adj(clock, R, R
y
))
policy p

is top
policy p

is (p
m-restrict
> p
m
) (p
f-stay
> p
f
)
obligation(f:move:anti) if f:loc=top right
Table 11: Norms and policies for the rooms example.
from before stating that the man and woman may not be alone together. There is a single agent-
specic permission law, which states that it is not permitted for m, the male, to stand still, if f is
in the room. Note that this is dierent from an obligation on m to move if f is in the room: the
obligation would force m to make a request to move, and thus eects the systems behaviour; the
norm merely colours ms strand red should he be with a woman and fail to move. The absence of
agent-specic laws for f means that fs strand in a transition will always be green. We will also
impose the local-global constraint, which means that a transition is (globally) red, whenever any
agent strand of that transition is red. The policies are those from (2), except that p
m-bar
, which
37
stated that the man is not permitted to enter a room if the woman is there, has been omitted. We
have also added a new obligation, requiring f to move anti-clockwise when she is in the top-right
room.
We now describe a sample of the kinds of analysis query possible. Given the number of types
and examples, we do not list the solutions to all, but merely a representative.
Normative status The colourings of the transition system and its strands mean we can ask lots
of questions about the combinations of colourings with properties of states and systems; to
do so is to ask about the circumstances in which norms are adhered to, or contravened. For
example, (i) Is there a red state where m is in the top-left room? (ii) Is there a transition
where m transgresses the normshis strand is redbut the resulting state is green? (iii) If
m moves anti-clockwise four times in a row, is one of the states he passes through necessarily
red?This last can be queried by asking iCCalc for a run of length 4, where each state
is green, and where m:move:anti is true across each transition. Any solution disproves the
statement that a red state must be passed through. iCCalc nds 36 solutions to this query,
with groups divded depending on which room m starts from. The solutions all have f chase
m round the suite of rooms (or m chase f).
Red transitions, agent-redness We may also be interested in the relationship of the agent-
specic norms to the global norms. Of course, where the local-global deontic constraint is
enforced, any transition where an agent acts badly is automatically forced to break the global
norms, and is coloured red. Yet we may still want to know whether there are transitions that
are globally red without being red for any specic agent. Such transitions may of particular
interest, in that they signify either a failure to design agent-specic norms that match the
global norms, in which case the agent-specic norms may need modication; or else, they
might represent transitions which are known to be bad because of factors the agents cannot
controlsome agent whose norms and behaviour we cannot direct did something wrong, or
the system malfunctioned in a way that nobody was responsible for. There are 14 transitions
of this sort in our new rooms example; they are all instances where m and f are initially
in adjoining rooms, the woman doesnt move, and the man moves into the womans room.
If the optional local-global constraint is not enforced, we may be interested in seeing whether
the property it enforces is, nevertheless, true. Are all states coloured red for some particular
agent also globally red? If we remove the constraint from our domain, the answer is that
there are 13 transitions where m breaks his agent-specic norms, but the transition is not
considered globally red. These might be instances of a too-strict development of agent norms.
Planning under norms One form of planning query that considers the normative status of the
world asks whether it is possible to go through from an initial state in which F is true,
to a nal state in which G is true, with a particular pattern of adherence to norms along
the way. That adherence may be total: no agent does anything wrong, meaning that there
are no intermediate states between those in which F and G are true that are red, no red
transitions between any of these states, and there is no transition that has a red strand for
any agent. Yet there are also weakings of this total adherence to norms that one might be
willing to accept: runs, for instance, where every strand in every transition is green, but
there are some transitions which are globally red (this situation can only arise when the
optional global-local constraint is not imposed). Such runs might be considered to be those
in which external factors are responsible for the systems badness, not any of the agents
whose actions the plan is to dictate. For example, suppose we wanted to nd the shortest
sequence of actions of m and f from a state where m is in the bottom-left room, f is in the
bottom-right, to a state where m is in the top-left, and f in the bottom-left; none of the
intermediate states brought about by the actions in the plan should be red, and all agent-
specic norms should be adhered to. Is this possible? iCCalc conrms that it is, and that
the shortest plan involves three stepssets of concurrent actions by m and f. The sequence
where m and f request to move anti-clockwise at each stage results, after three steps, in
both agents being where they are required to be. The agent-specic norms are keptand,
38
in fact, all transitions are globally green too.
12
Obligation violations Given the possibility of including obligations in our policies of p(+, we
can ask what the interaction is between these obligations and the authorization policies.
The eect of an obligation on a subject is to cause that subject to make a request; are such
requests permitted or denied? If permitted, the obligation is fullled; otherwise, it is violated.
We may wish to know whether obligations are ever violated given specic system constraints,
or whether, when an obligation is violated by an agent ag, the previous actions of ag were in
some way responsible for putting him in a situation that made such a violation ineluctable.
Our example policy contains a single obligation, on f: she must go anti-clockwise if ever in
the top-right room. As iCCalc shows, this obligation is violated in 6 transitions, which fall
into two groups depending on the reason for the violation. The rst group of 3 violations
occurs when m is in the diagonally opposite, bottom-left room. In this situation, p
f-stay
denies f permission to move in any direction, so that the request forced by fs obligation is
not allowed. There are three violations in this sub-group because m can either do nothing,
request to go clockwise, or request to move anti-clockwise. In the other group of three, the
man is in the top-left room, and f is then denied permission to move anti-clockwise into
it by p
f
; the three members again match ms possibilities for requests. The fragment of
the transition system showing violations is depicted in Figure 8. Those action and policy
f m
m
f
m
f
m
f
m:move:clockwise,
f:req(move:anti),
obligation(f:move:anti),
viol(f:move:anti)
m:move:anti,
f:req(move:anti),
obligation(f:move:anti),
viol(f:move:anti)
m:move:anti,
f:req(move:anti),
obligation(f:move:anti),
viol(f:move:anti)
f:req(move:anti),
obligation(f:move:anti),
viol(f:move:anti)
f:req(move:anti),
obligation(f:move:anti),
viol(f:move:anti)
m:req(move:clockwise)
f:req(move:anti),
obligation(f:move:anti),
viol(f:move:anti)
Figure 8: Violations in the rooms example.
constants that are most relevant to the violations have been marked: the requests made by
the woman, her obligations, whether or not the obligation was violated, and any actions
12
In iCCalc, nding the shortest plan from a state where F is true to a state where G is true is done as follows.
The length n of plans is gradually increased, from 0 upwards. For length n, we query whether there is a run through
the transition system dened by the action description, such that F is true in the initial state and G in the nal
state. If there is, we then need to check that all runs of length n, beginning in a state which satises F, in which
the same actions are performed by the agents for which we are planning, results in G being true in the nal state.
(This is to rule out Gs holding by luck, given the possibility of non-deterministic action descriptions in C+ and its
extensions.) If this is true, then the plan is the sequence of actions performed by our agents. If not, we increment
the value of n and repeat the process.
39
performed by the man. The various authorization policy decisions, and requests of the
man, have not been shown. (These can be viewed in full using the visualization feature in
iCCalc.)
Policy conict Violated obligations represent one form of policy conict analysis: for an obliga-
tion to be violated, the authorization policy must imply that a request to perform the action
is not allowed. There are also other forms of policy conict, where named sub-policies used
in the denition of the top policy are found to give conicting decisions. Whether or not
this is a problem will depend on the application area, and the specic way in which policies
are combined. For instance, if there are two policies p and p
e
, where p
e
is an exception
to p, then p
e
may contain negative authorizations that override the positive decisions of p
under certain circumstances; we have made use of such structures in examples in the current
paper, using the > operator. But there may be other situations, where the way that policies
are combined requires that they never issue contradictory decisions. Suppose, instead of
p
e
> p, the policy author had written p
e
p; then, when both p
e
and p apply, p
e
p would
be evaluated to in, and this may propogate undesired eects through the evaluation of the
rest of the composition. We can use analysis to discover when sub-policies give conicting
results: for iCCalc includes an option to make the internal workings of the PDP visible;
action constants are then included for the PDPs evaluation of requests against all named
policies in the action description. Making that query for the rooms example shows there
are several examples of named policies reaching conicting decisionsone p and the other
dalthough, since the policy for our example has been well designed with good uses of >,
these do not signal a aw in the policy. (It is also possible, of course, to test for the presence
of an in evaluation against a named policy directly; if we do this for our example, no solutions
are found.)
Coverage gap A coverage gap exists with respect to a policy p when there is a request to which
no rule in p applies. If policies are dened as compositions using a policy algebra, this may
not be a problem: for dierent named sub-policies may be intended to apply to disjoint sets
of requests, with no single named basic policy covering all. However, if it is known that
all requests of a given type should be jointly covered by a given set p
1
, . . . , p
n
of policies,
then we may wish to prove that this is so; this can be done by showing whether there is
any transition such that a request sub:req(act:tar) will be evaluated to n/a by all policies
p
1
, . . . , p
n
. If there any transitions of this sort, then iCCalc will nd them, discovering all
requests that are not covered, as well as the various circumstances in which the gaps occur.
Policy comparison One kind of policy subsumption was dened in [Craven et al., 2009] as hold-
ing between two policies, in the context of a given domain description, when all positive and
negative authorizations and all obligations implied by one policy in a given context, are also
implied by the other policy; the second policy is then said to subsume the rst, for the given
domain description. One purpose of determining whether one policy subsumes another is
when updates to a policy are being considered: if the new policy to be added already has all
its decisions matched by an existing policy, then there may be no reason to add it.
Where p
1
and p
2
are two basic policies (hence sets of rules, rather than algebraic expres-
sions in terms of other policies), then a similar notion of policy subsumption is useful in
the current work. Suppose p
1
and p
2
are positiveanalagous remarks will hold for negative
basic policies. Then, if all contexts in which p
1
determines an action as permitted are also
contexts in which p
2
determines the action as permitted, there can be no reason to add the
rules of p
1
to those of p
2
: p
1
p
2
is the same, for the system being considered, as p
2
. We
can dene this as follows.
Denition 23 Let p
1
and p
2
be basic positive authorization policies, where p
2
features in
some action description D of p(+ or np(+. Let (S, A, R) be the LTS dened by D. Then,
if for all Sub:Act:Tar Actions and all (s, e, s

) R
s e [= permitted(p
1
, Sub:Act:Tar) implies s e [= permitted(p
2
, Sub:Act:Tar)
40
we say that p
2
D-subsumes p
1
, and write this as p
1

D
p
2
. If p
1
and p
2
are negative basic
authorization policies, the denition is the same but with permitted replaced by denied.
Note that if p
2
D-subsumes p
1
, then replacing p
2
by p
1
p
2
has no eect on the transition
system dened, and so no eect on the policy decisions made, however p
2
features in the
denition of the top policy. That this property holds is clearly one reason why this denition
of subsumption is useful.
What if p
1
and p
2
are not both basic policies? In general, there is then the possibility that
for a given request they may take any of the four values p, d, n/a and in. Two natural
denitions of subsumption would then be that p
2
D-subsumes p
1
when, for all (s, e, s

) in
the transition system,
s e [= pdp(p
1
, Sub:Act:Tar)=X implies s e [= pdp(p
2
, Sub:Act:Tar)=X
for (i) X p, d or (ii) X p, d, n/a, in. However, note that where p
1
and p
2
are non-
basic, the expression p
1
p
2
is not meaningful, because p
1
and p
2
are no longer sets of rules.
Instead of considering adding the rules of p
1
to those of p
2
, and thus comparing p
2
with
p
1
p
2
, we might consider replacing p
2
by p
1
; but if p
1
and p
2
are non-basic, then it is not
only the p and d values that may make a dierence. The way p
2
features in the algebraic
denition of the top policy may mean that the values of n/a and in are taken account in
whether the top policy allows an action or not. This means that, if we are interested in
replacing p
2
by p
1
a form of updatethen (ii), above, would be the correct denition of
subsumption. Yet this is very strong: in the context of the given system, p
1
and p
2
should
give identical results to all possible requests.
What if we consider replacing p
2
by p
1
Opp
2
, where Op is a (possibly non-basic) composition
operation which is intended to be as close as possible to set union, and thus to mirror the
situation with basic p
1
and p
2
? The natural candidate here is probably . What denition
of policy subsumption for non-basic p
1
and p
2
would make it true that where p
2
D-subsumes
p
1
, then replacing p
2
by p
1
p
2
has no eect on what the top policy allows? The meanings
of the operators, as shown in Figure 5 and Table 3, make this clear. It is that, for all (s, e, s

)
in the transition system and all Sub:Act:Tar,
s e [= pdp(p
1
, Sub:Act:Tar)=X implies X

[X

k
X s e [= pdp(p
1
, Sub:Act:Tar)=X

]
Testing for policy subsumption is easy using iCCalc. In our rooms example, there are no
two basic policies between which a relation of subsumption holds.
Simulation Simulation is understood here to be the modelling of how the policy-governed
system behaves as a response to various changes in the environment; in this way simulation
does not involve nding out whether some specic policy-related, or norm-related property
holds. One sort of simulation that can be performed using iCCalc is to specify what is
known to be true in an initial state of the system, and then to include hypothetical requests
for actions and non-policy events that occur at various times after the initial state. We can
then see what follows about the state properties of the system under these assumptions,
or how the policy decisions turn out. iCCalc can show all runs consistent with the input
information. It is often instructive to view how a system will behave under a number of
predicted conditions and inputs; this often reveals properties of the policies that are in play
which are unexpectedfor which it did not occur to an analyst to query explicitly.
We can also include, under the current heading, more general system enquiries, such as
whether a given system state is possible if certain policies are in place. In our rooms
example, for instance, we may want to know whether the man and the woman can be in the
top-left room togetherwhether the policies allow this, rather than whether it is acceptable
that they be so. Queries like this are the bread-and-butter of iCCalc usage: in the current
instance the answer is of course that the state is possible, and the further information is
supplied that such a state is not permitted (red).
41
Modular analysis In the case where the dierent policy names are used to hold the policies in
sway over dierent components of a distributed system, it is of course possible to analyse
the behaviour of those components policies separately. In this context, with n components
of a distributed system governed by policies p
1
, . . . , p
n
, each policy p
i
would govern dierent
actions from a p
j
for i ,= j. For any given access request, the p
1
, . . . , p
n
can be dened in
such a way that either all of them evaluate to n/a, or precisely one of them evaluates to p or
d. The top policy can then be dened as the join p
1
p
n
of the various components
policies, and queries can be made of the behaviour of one of the p
i
in isolation, or of the
eect of decisions of the policy p
i
, and the behaviour of the i
th
component it controls. (In
the rooms example, we can view the man and the woman as being dierent components,
with the policy (p
m-restrict
> p
m
) as being the module of the total policy governing the mans
behaviour, and (p
f-stay
> p
f
) as the sub-policy governing the womans behaviour.)
Planning under policies Where an action description has policies, these will be taken account
in any planning query made, as the eects of a request are determined by the policies in
place. Where there are obligations on an agent, these also inuence the solutions to a
planning problem: as the agent will automaticallygiven our understanding of obligation
policies as ECA rulesrequest to try and full any obligation under which it nds itself.
Incorporating the constraints of existing policies into the solution of queries is performed
automatically by iCCalc, which builds only those transitions consistent with the policies i
attempting to solve a planning problem.
There is another way, however, in which we might study the interaction between policies
and plans. Suppose a successful plan has been generated to solve a planning problem in
the presence of given policies. (Perhaps, also, in certain kinds of accordance with norms,
as described above in Planning under norms.) Such a plan will be a sequence of actions
which, if performed, guarantees the state will move from that initially specied to one where
the planning goal is true. The policy engineer may then want to derive a set of policies from
the plan that can be added to the policies already in place, in order to ensure the plan is
followed. The new policies would be obligations: in certain circumstances, and in the right
order, request to perform the actions contained in the plan.
There are complications here which we do not probe further at this time. One concerns
the possibility of adapting the current set of authorization policies in order to allow dierent
obligation policies, implementing a dierent plan. Another concerns the way in which a group
of agents can, with policies governing the various members of the group, jointly achieve the
plans goal. These are subjects for further work.
Policies and Norms Finally, one family of queries concerns the relationship between norms and
policies. If both are in place, and the action description is therefore in np(+, we can ask
about the interaction between the various named policies and the normative status of the
system and its agents. Given the designation of a top policy, then clearly where some agent
s strand of a transition (s, e, s

) is red, there must be an agent-specic permission law

not-permitted() F if G
such that s e [= F G. The top policy must make whatever actions are in F permitted:
the requests for them must be evaluated as p according to the top policy. It is therefore
immediate that, if this redness is one we wish to eliminate, the top policy is not doing its
job: and we can see this only from a query about norms. However, we may expect that one
of the various named policies in terms of which the top policy is dened should cover this
case of redness: should deny the requests for actions comprising F in these circumstances.
If there is such a denial, then the top policy has been badly dened in terms of the other
policies; if there is no such denial, then the policy in question has itself been badly dened.
So, a combined analysis of when red strands arise in the presence of denials according to
the specic policy will indicate how the policies can be repaired in order to eliminate the
redness.
42
Code for the rooms example, together with code for all queries mentioned above, is available
from the iCCalc website, http://www.doc.ic.ac.uk/~rac101/iccalc/.
7 Related work
Some related workthat which is very closely relatedis discussed in the relevant sections of this
report. The background of action languages is presented in Section 2. Work on policy algebras is
discussed in Section 4. The specic formalism we use for the representation of norms is presented
in Section 5.1. In the remainder of the current section we discuss other relevant work.
The closest precursor to the current work is [Gelfond and Lobo, 2008], where a language
/OTL() is presented. This is used to specify positive and negative authorization and obli-
gation policies, where some policies are defeasible and some not, and there is a priority ordering
over the former. As with our work there is a background semantic structure of labelled tran-
sition systems for depicting the changing behaviour of a system. (The authors use the action
language /L of [Baral and Gelfond, 2000] for dening the transition systems, but as the policy
component is not tightly coupled to their system-denition component, many other formalisms
could be used.) The main analytic interest of the authors, at least as represented in the paper,
is in checking various forms of policy compliance with actions that can be performed in the sys-
tem being modelled, and for this reason, policies are not presumed to be enforced: whether or
not an action is permitted or not permitted, or required by an obligation, makes no automatic
dierence to whether the action is performed. In contrast, in our work, policies do automatically
determine whether an action is possible in a given state: policies aect the structure of the tran-
sition system. The reason for the dierence of approaches is probably to be found in the fact that
/OTL() appears to be used for the deliberation of a single agent about which of its behaviours
would be compliant with a policy that is externally set but not enforced: so that policies here
represent laws which the agent may have a good reason to obey, but is not forced to obey. In
this respect, policies are for [Gelfond and Lobo, 2008] what norms are for us, and the reasoning
of [Gelfond and Lobo, 2008]s agent about whether its actions are policy-compliant can be thought
to match the kinds of query we explored in Section 6.2 about the normative status of various ac-
tions. One advantage of our work is then that it enables reasoning about the interaction between
policies in this normative sense, and the policies which are actually in force, or might be, over an
agent. Further, our work is used to represent the norms, policies, and actions of multiple agents
in a system; in its current state, the language of [Gelfond and Lobo, 2008] is designed for policies
governing only a single agentas bets their purpose of considering an agents own reasoning
about whether to adhere to policies. We also have an existing implementation supporting various
kinds of query task, in the form of iCCalc. This implementation can perform the types of analysis
mentioned in [Gelfond and Lobo, 2008].
Two more technical dierences concern the way in which defaults are dealt with and the
treatment of obligations. Defaults in /OTL() are ordered by a priority or preference relation,
and this priority determines which of a set of triggered defaults should be used in generating the
answer sets for a given policy. For us, ordered defaults can be expressed both at the level of policy
composition (using operators such as the > dened in Section 4.2) and within the basic policies
themselvesthough there is no built-in way of expressing ordered defaults in the basic rules: this
can be done in whatever way the policy-designer wishes, using familiar techniques. We regard it
largely as a matter of personal preference which of the two approaches (ordered defaults in the
algebra, or a preference relation as in [Gelfond and Lobo, 2008]) is considered to be more clear:
the expressive power of each seems comparable, as our success in formulating examples from each
approach in the other makes clear.
The second dierence concerns the treatment of obligations. For us, these are not treated
algebraically, and are understood as ECA rules. For [Gelfond and Lobo, 2008], they are treated
in just the same way as authorization policies. This does raise the question of what the essential
dierence between authorizations and obligations is for them. In many systems of modal deontic
logic, an obligation not to do something is equivalent to the negation of permission to do it, and
43
the two concepts are thus interdenable. It is unclear to us whether [Gelfond and Lobo, 2008]
should take this approach too. For us, authorization and obligation policies have orthogonal
interpretations, and the question of the their logical relationship, raised in deontic logic, does not
therefore not arise. That said, further work will examine whether an algebraic approach for our
obligations is appropriate; see Section 8 for more details.
In [Irwin et al., 2006], the authors present a language and semantics that represents both au-
thorization and obligation policies. However, the obligations are explicitly tied to authorizations,
as actions that must be fullled if an access is granted. We can model such obligations in our
work, either as norms of the form
oblig(Sub) A if allow(Sub:Act:Tar) Sub:Act:Tar (34)
or else as policies
obligation(A) if allow(Sub:Act:Tar) Sub:Act:Tar (35)
The choice between them depends on whether the subject being modelled automatically generates
a request in the presence of the given obligation. Finally, in [Craven et al., 2009] the authors
present a formal framework for the analysis of authorization and obligation policies in the context
of dynamic systems. The language has slightly more control over some aspects of the specication
of policies than the current work: time is reied, and so constraints can be used to express the
dependence of current policy logic on historical conditions of the system. However, there is no
normative dimension, and defaults and exceptions for policy decisions are expressed in a much
less structured, more ad-hoc manner than in the current approach, where policy algebra is used
to impose a coherent logic on the combination of dierent (sets of) policy rules. The underlying
formalism of [Craven et al., 2009] is abductive constraint logic programming; one advantage of
using (+ is the ready determination of transition system semantics.
8 Concluding Remarks and Future Work
We have presented a way of introducing the representation of authorization and obligation policies
into an action language, (+. Authorization policies are dened using the policy-algebraic approach
of [Bruns et al., 2007], and obligation policies are treated as event-condition-action rules whose
fullment depends on the right authorizations being in place. Using (+ as a base language allows
the dynamic properties of systems to be studied in relation to policies, and gives an attractive and
widely-used semantics, in the form of labelled transition systems. This provides a potential bridge
to other techniques for system analysis, notably model checking.
The policy component of the language can also be combined with another extension, n(+,
which is used to represent and reason about norms which are binding on multiple subjects or
agents. When both are combined, norms can be viewed as specications which determine when
the states or behaviour of a system and its agents are bad, undesirable, good, ideal, and so on;
and policies can be seen as the concrete attempt to function as the norms dictate. We showed how
a number of properties which relate to these interactions can be expressed and analysed using our
languages. We discussed our implementation of these languages, iCCalc, which can be used for
all the forms of analytic task we mentioned.
There are several directions for future work. First, we are interested in examining how the
ne-grained approach to the analysis of individual and collective agency presented in [Sergot, 2008]
and [Sergot, 2007] might be used in work on policies. One way in which this might help is in the
derivation of policies from norms: if a state or transition violates norms, then an agentive analysis
of the type [Sergot, 2008] shows how to perform could indicate which of a group of subjects was
more responsible for the violation; it is those agents whose policies must be adapted. Another
application of the logic of agency could be in the expression of policies describing what to do
when an agent violates its explicit obligation policies. If that violation occurs as a result of the
agent being forced to do something by a group of other agents, then sanctions imposed by system
44
policies may be dierent than if the agents violation was entirely down to its own actions. These
two applications of what [Sergot, 2008] calls the logic of unwitting collective agency embody
two points at which more rened agentive constructions can enter the current work: the rst,
at the level of queries over the LTS dened; the second, within the object language of policies
itself. The second, as one might expect, would be much more challenging research. We have
begun experiments with an extension of iCCalc, written by Sergot, that model-checks agentive
constructions of [Sergot, 2008] over transition systems dened using p(+ and n(+.
Secondly, we are interested in exploring the connections between the current work and ab-
ductive logic programming. A subclass of the policies and action descriptions it is possible to
represent in p(+ could be given an equivalent formulation as normal logic programs: the main
constraint determining the class is that there be no circular dependencies through causal laws
between constants. This suggests that ACLP can be used to perform analytic tasks for theories
of p(+ and, it seems likely, also np(+. We wish to exploit these relationships and possibilities.
Thirdly, we wish to examine the automated derivation of agent-specic norms from norms, and
of policies from agent-specic norms. If the system normsthose that are not agent-specicare
conceived of as set by a system-wide authority or designer, then the various subjects or agents
that form the system may be interested in deriving policies which guarantee that they will adhere
to the norms. (The intermediate step in this derivation is agent-specic norms.) We expect that
techniques from automated planning could be used in creating policies of this sort. One aspect of
this problem is where agents are grouped together, and where a group derives its policies together
in such a way that all members of the group are norm-compliant. It may be that analysis of the
various agents actions, in terms of the rich set of agentive operators of [Sergot, 2008] referred to
above, allows a better derivation of policies for groups. For example, if x and y are in the same
group of agents, and it can be shown that in a given transition, x brings it about that y violates
the norms where y would not otherwise have done so, then x is the agent for which restraining
policies should be derived, rather than y.
Fourthly, we are interested in the addition of constructions for the representation of knowledge
to the current formalism. In the derivation of policies by which an individual subject should govern
its behaviour, account should presumably be taken of those aspects of an agents environment of
which it is able to be aware. The evaluation of policies by an agents PDP ought to be possible:
there should be no conditions in the body of the policy rules which the agent cannot verify. One way
in which knowledge can be taken into account is suggested by [Gelfond and Lobo, 2008]: on the
basis of a division of uents into those whose values the agent can know, and those it cannot know,
states are divided into equivalence classes, where each class represents how the world might be,
given what an agent knows. However, there is no explicit modelling of the perceptual capabilities,
or the eects of actions on knowledge, at the level of the transition system, and it is precisely this
we are interested in. Here, they may be further entanglements with policies and norms, in that
the policies and norms may themselves state what an agent should come to know.
Fifthly, the composition of obligations. It may be that the sort of approach we use for com-
posing authorization policies can protably be extended to obligation policies. However, the fact
that obligation policies are, for us, ECA rules means that the interpretation of the meaning fo
composition would be dierent. For authorization policies, it is a way of deciding what the result
of a request is, given the relations of a request to various named sets of policy rules; the dierent
decisions of the various sets are combined to produce the total decision. Yet there is no comparable
role for a request in the context of obligation policies, and it is not clear what useful meaning could
be given to a combination of an obligation to do with an obligation to do . We are currently
examing such questions.
Sixthly, in the current work requests themselves are not governed by authorization policies: a
subject does not permission to make a request. The only point to which policies apply is in the
decision whether a request eventuates in the relevant action. This contrasts with a system such as
Ponder [Damianou et al., 2001], where whether or not a request is made is itself subject to policy.
We have modelled, at this stage, at a higher level of abstractionbut we are interested in delving
further in order to represent policies applying to requests. This is the most straightforward of the
various extensions.
45
A Sample code for a rooms example
We here present the input code to iCCalc for a simplied version of the rooms example discussed
throughout the paper, with comments on features of the input. The code is general enough to
support easy adaptations to dierent numbers of agents, rooms, and dierent room topologies; for
this reason the code is more complicated than would be the case if it were suited to the specic
domain only. The language is Prolog.
First, variables are declared which enabe the concise representation of features of the (+
signature, (+ laws, policies and norms:
Ag,OtherAg :: agent(Ag).
M :: male(M).
F :: female(F).
Room,OtherRoom,RoomTo,RoomFrom :: room(Room).
Dir,OtherDir :: direction(Dir).
Whenever one of the variables on the LHS of the :: appears elsewhere in the source code, it is
ground to all values of the rst variable in the list such that the Prolog code on the RHS is true.
For example, if M appears elsewhere in the source code, the clause A if C containing it will be
replaced by A if male(M),C.
Next, some details of objects and other aspects of the domain.
agent(M).
agent(F).
male(m1).
male(m2).
female(f).
room(left).
room(right).
direction(left).
direction(right).
That is: there are two men and one woman; two rooms, named left and right, and two directions
in which to travel between rooms. An agent is a male or a female.
Next, predicates used to make life easier in writing causal laws.
adj(Direction, RoomF, RoomT) :-
ord_basic_adj(Direction, RoomF, RoomT).
adj(Direction, RoomF, RoomT) :-
opp_dir(OppDir, Direction),
ord_basic_adj(OppDir, RoomT, RoomF).
ord_basic_adj(right, left, right).
opp_dir(right, left).
adj/2 denes whether it is possible to go from RoomF to RoomT in direction Direction. The other
predicates are subsidiary denitions.
We can now dene the signature of our action description.
fc(Ag^loc).
sdfc(alone(Ag)).
sdfc(alone(M,F)).
pac(Ag^move^Dir).
46
domain(Ag^loc, Room).
inertial FC :-
fc(FC).
There is one family of simple uent constants, used to record an agents location; it is non-Boolean.
Two kinds of statically-determined uent constants record whether an agent is alone in a room, or a
man is alone in a room with a woman. There is one group of policy-controlled action constant, used
to represent an agents moving in a given direction. (The variable declarations at the beginning
of the source le are used to ll out the signature.) All simple uent constants are inertial.
Now, the causal laws describing movement. Moving somewhere puts an agent there:
Ag^move^Direction causes Ag^loc=RoomT if Ag^loc=RoomF :-
adj(Direction, RoomF, RoomT).
(The body ensures that only topologically possible movement occurs.) We stipulate that it is
also not possible to request to move to non-adjacent rooms. This is not essential, but means that
irrelevant requests are not included. In the same way we require that it is not possible to request
to move in two dierent directions at once.
nonexecutable Ag^req(move^Dir) if Ag^loc=Room :-
\+ adj(Dir, Room, _).
nonexecutable Ag^req(move^Dir) & Ag^req(move^OtherDir) :-
Dir @< OtherDir.
It is not possible for two agents to move concurrently through the same doorwayeither in the
same direction, in or in opposite directions:
nonexecutable Ag^move^Dir & OtherAg^move^Dir
if Ag^loc=Room & OtherAg^loc=Room :-
Ag @< OtherAg.
nonexecutable Ag^move^D & OtherAg^move^OD
if Ag^loc=OR & OtherAg^loc=R :-
Ag \= OtherAg,
adj(D, OR, R),
opp_dir(D, OD).
That is all that is needed for the denition of the eects of movement, and the various constraints
on what is physically possible.
Next, a series of laws dening what it means for an agent to be alone, or a man and a woman
to be alone together.
default alone(Ag).
caused -alone(Ag) if Ag^loc=Room & OtherAg^loc=Room :-
Ag \= OtherAg.
default alone(M, F) if M^loc=Room & F^loc=Room.
caused -alone(M, F) if M^loc=Room & F^loc=OtherRoom :-
Room \= OtherRoom.
caused -alone(M, F) if M^loc=Room & F^loc=Room & Ag^loc=Room :-
M \= Ag,
F \= Ag.
47
The rst law states that people are usually alone. The second states that someone is not alone if
there is someone else in the same room. The third law states that a man is, by default, alone with
a woman if they are in the same room. The fourth states that men and women in dierent rooms
are not alone together, and the fth states that gooseberries get in the way.
We now cover policies. The rst states a user-dened policy operator: this is the > we referred
to and dened in Section 4.2.
pol_abbrev(X > Y, X join ((neg (X join (not X))) meet Y) ).
The rst argument is the operator expression being dened; the second is the denition. Next, we
state and dene the top policy:
top pol is (pmen join (pfemrestrict > pfem)).
This law expresses that pol is the name of the top policy, and that this is dened in terms of three
other policy names: pmen, pfem and pfemrestrict. These three now need dening.
First, pmen:
pmen @
perm(M^move^Dir) if M^loc=R :-
adj(Dir, R, _)
.
The braces enclose a set of policies; the @ is used to prex the sets name. pmen therefore a positive
authorization policy, with a single rule, stating that men may move in any direction physically
possible. A similar policy, pfem, covers women:
pfem @
perm(F^move^Dir) if F^loc=R :-
adj(Dir, R, _)
.
However, women are subject to the additional policy, pfemrestrict:
pfemrestrict @
denied(F^move^Dir) if F^loc=R & M^loc=left :-
adj(Dir, R, left)
.
This means that women will be denied access to the left room if there is a man inside.
That is all the denition of policies needs; the single (non-agent-specic) norm is:
notpermitted alone(M, F).
Any state where a man and woman are alone in a room will be coloured red; all other states will
be green. The red transitions are then determined in accordance with the ggg constraint.
References
[Baral and Gelfond, 2000] Baral, C. and Gelfond, M. (2000). Reasoning agents in dynamic do-
mains. In In Workshop on Logic-Based Articial Intelligence, pages 257279. Kluwer Academic
Publishers.
[Belnap, 1977] Belnap, N. (1977). A useful four-valued logic. In Dunn, J. and Epstein, G., editors,
Modern Uses of Multiple-Valued Logic, pages 837. D. Reidel, Dordrecht.
[Bruns et al., 2007] Bruns, G., Dantas, D. S., and Huth, M. (2007). A simple and expressive
semantic framework for policy composition in access control. In Ning, P., Atluri, V., Gligor,
V. D., and Mantel, H., editors, FMSE, pages 1221. ACM.
48
[Bruns and Huth, 2008] Bruns, G. and Huth, M. (2008). Access-control policies via belnap logic:
Eective and ecient composition and analysis. In CSF, pages 163176. IEEE Computer Society.
[Clark, 1978] Clark, K. (1978). Negation as failure. In Gallaire, H. and Minker, J., editors, Logic
and Databases, pages 293322, New York. Plenum Press.
[Craven et al., 2009] Craven, R., Lobo, J., Ma, J., Russo, A., Lupu, E., Bandara, A., Calo, S., and
Sloman, M. (2009). Expressive policy analysis with enhanced system dynamicity. In ASIACCS,
pages 239250. ACM.
[Craven et al., 2008] Craven, R., Lupu, E., Lobo, J., Bandara, A., Calo, S., Ma, J., Russo, A., and
Sloman, M. (2008). An expressive policy analysis framework with enhanced system dynamicity.
Technical Report, Department of Computing, Imperial College London.
[Craven and Sergot, 2005] Craven, R. and Sergot, M. J. (2005). Distant Causation in (+. Studia
Logica, 79(1):7396.
[Craven and Sergot, 2008] Craven, R. and Sergot, M. J. (2008). Agent strands in the action
language n(+. J. Applied Logic, 6(2):172191.
[Damianou et al., 2001] Damianou, N., Dulay, N., Lupu, E., and Sloman, M. (2001). The ponder
policy specication language. In Sloman, M., Lobo, J., and Lupu, E., editors, POLICY, volume
1995 of LNCS, pages 1838. Springer.
[Erdogan and Lifschitz, 2006] Erdogan, S. T. and Lifschitz, V. (2006). Actions as special cases.
In Doherty, P., Mylopoulos, J., and Welty, C. A., editors, KR, pages 377388. AAAI Press.
[Gelfond and Lifschitz, 1993] Gelfond, M. and Lifschitz, V. (1993). Representing action and
change by logic programs. Journal of Logic Programming, 17:301321.
[Gelfond and Lifschitz, 1998] Gelfond, M. and Lifschitz, V. (1998). Action languages. Electronic
Transactions on AI, 3.
[Gelfond and Lobo, 2008] Gelfond, M. and Lobo, J. (2008). Authorization and obligation policies
in dynamic systems. In de la Banda, M. G. and Pontelli, E., editors, ICLP, volume 5366 of
Lecture Notes in Computer Science, pages 2236. Springer.
[Giunchiglia et al., 2004] Giunchiglia, E., Lee, J., Lifschitz, V., McCain, N., and Turner, H. (2004).
Nonmonotonic causal theories. Articial Intelligence, 153:49104.
[Irwin et al., 2006] Irwin, K., Yu, T., and Winsborough, W. H. (2006). On the modeling and
analysis of obligations. In Juels, A., Wright, R. N., and di Vimercati, S. D. C., editors, ACM
Conference on Computer and Communications Security, pages 134143. ACM.
[Li et al., 2009] Li, N., Wang, Q., Qardaji, W. H., Bertino, E., Rao, P., Lobo, J., and Lin, D.
(2009). Access control policy combining: theory meets practice. In Carminati, B. and Joshi, J.,
editors, SACMAT, pages 135144. ACM.
[McCain and Turner, 1997] McCain, N. and Turner, H. (1997). Causal theories of action and
change. In Shrobe, H. and Senator, T., editors, Proceedings of the Thirteenth National Confer-
ence on Articial Intelligence and the Eighth Innovative Applications of Articial Intelligence
Conference, pages 460465, Menlo Park, California. AAAI Press.
[Ni et al., 2009] Ni, Q., Bertino, E., and Lobo, J. (2009). D-algebra for composing access control
policy decisions. In Li, W., Susilo, W., Tupakula, U. K., Safavi-Naini, R., and Varadharajan,
V., editors, ASIACCS, pages 298309. ACM.
[Reiter, 1980] Reiter, R. (1980). A logic for default reasoning. Articial Intelligence, 13:81132.
49
[Sergot, 2004] Sergot, M. (2004). ((/(+)
++
: An action language for modelling norms and insti-
tutions. Technical Report 2004/8, Department of Computing, Imperial College London.
[Sergot, 2007] Sergot, M. (2007). Action and agency in norm-governed multi-agent systems. In
Artikis, A., OHare, G. M. P., Stathis, K., and Vouros, G. A., editors, ESAW, volume 4995 of
Lecture Notes in Computer Science, pages 154. Springer.
[Sergot, 2008] Sergot, M. (2008). The logic of unwitting collective agency. Technical Report
2008/6, Department of Computing, Imperial College London.
[Sergot and Craven, 2005a] Sergot, M. and Craven, R. (2005a). Logical Properties of Nonmono-
tonic Causal Theories and the Action Language (+. Technical Report 2005/5, Department of
Computing, Imperial College London.
[Sergot and Craven, 2005b] Sergot, M. and Craven, R. (2005b). Some logical properties of non-
monotonic causal theories. In Baral, C., Greco, G., Leone, N., and Terracina, G., editors,
Logic Programming and Nonmonotonic Reasoning, volume 3662 of Lecture Notes in Computer
Science, pages 198210. Springer.
50