PolicyMorph: Interactive Policy Transformations for a
Logical Attribute-Based Access Control Framework
Michael LeMay, Omid Fatemieh, and Carl A. Gunter
University of Illinois at Urbana-Champaign
Constraint systems provide techniques for automatically analyzing
the conformance of low-level access control policies to high-level
business rules formalized as logical constraints. However, there
are likely to be priorities for solutions that are not easy to encode
formally, so administrator input is often important. This paper in-
troduces PolicyMorph, a constraint system that supports interac-
tive development and maintenance of access control policies that
respect both formalized and un-formalized business rules and pri-
orities. We provide a mathematical description of the system and
an architecture for implementing it. We constructed a prototype
that is validated using a case study in which constraints are im-
posed on a building automation system that controls door locks.
PolicyMorph advances the state-of-the-art in constraint systems by
suggesting predictable policy model modifications that will resolve
specific constraint violations and then allowing policy administra-
tors to select the appropriate modifications using knowledge that is
not formally encoded in the constraint system.
Categories and Subject Descriptors:
Systems]:Security and Protection—Access controls;
[Management of Computing and Information Systems]: Secu-
rity and Protection
General Terms: Security
Keywords: attribute based access control, policy administration,
separation of duty, constraints
Many of the challenges that arise during the development and
maintenance of an access control policy are caused by the inability
of the policy administrator to correctly translate high-level busi-
ness requirements into low-level access control policies that can
be implemented in an Access Decision Function (ADF). Several
approaches to this problem have been explored, such as improv-
ing the policy languages themselves to provide more direct ex-
pressions of business requirements. Role-Based Access Control
(RBAC) and Attribute-Based Access Control (ABAC) languages
are representative outcomes of this line of investigation [18, 15].
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
SACMAT’07, June 20-22, 2007, Sophia Antipolis, France.
Copyright 2007 ACM 978-1-59593-745-2/07/0006 ...$5.00.
Another common approach uses constraint languages to test prop-
erties of an ADF and point out violations to the policy adminis-
trator [11, 7]. Because constraint languages can be very expres-
sive, they are able to encode many business rules directly, but such
high-level constraints cannot be used to directly implement an ADF
because they specify what access control policies satisfy the busi-
ness requirements, without actually selecting any particular policy
from the (usually infinite) space of acceptable ones. Thus, most
constraint checkers simply report constraint violations for the for-
malized business rules. This generates a substantial burden on an
administrator because he must not only resolve the violations man-
ually but must also deal with all of the solution priorities that, for
one reason or another, were not formalized within the constraint
system. Another, more subtle, point is that business rules are often
flexible: exceptions are sometimes made, and a burdensome rule
may be ignored or changed. Thus the process of selecting an ADF
in light of business rules benefits from formalization and automated
support, but also requires significant human input.
In this paper we introduce a system called PolicyMorph that
helps administrators interactively assess ABAC access control poli-
cies with respect to logical constraints. This is, PolicyMorph not
only reports constraint violations, but also formulates suggestions
on how to address common types of violations. It then prioritizes
those suggestions, presents them, and allows the administrator to
that produces the most desirable outcome. In particular, Policy-
Morph allows the administrator to evaluate the desirability of each
option, without forcing him to encode all relevant constraints in a
formal language. This provides a middle ground between a fully
automatic system that places on the administrator a high burden of
formalization and a largely manual system that provides little help
in discovering and resolving specific violations.
To make these concepts more concrete, consider an access con-
trol policy for Personally Identifiable Information (PII) contained
in an online retailer’s database and regulated by that organization’s
late the processing and storage of the PII collected from customers.
Other works have explored the formal semantics of privacy poli-
cies and explain how to decompose policies into individual goals
that can be analyzed further [1, 6, 14]. These goals can be easily
converted into logical constraints over an ABAC policy. For ex-
ample, consider the privacy goal “maintain confidentiality of cus-
tomer information from third party partners and marketing.” Let us
assume that some employees hold responsibilities in multiple ar-
eas, such as both marketing and information systems support (IS).
As a part of their IS duties, such an employee could be responsi-
ble for the maintenance of a customer email list. Unfortunately,
her membership in the marketing department would disqualify her
from this role according to the privacy rule. The constraint checker
can easily detect this violation, but it is unlikely to know how to op-
timally transfer the responsibility for managing the customer email
list, since workload information, employee preferences, and other
external considerations are rarely encoded into the systems hosting
an access control policy. However, a human policy administrator is
likely to have access to such information and can easily select be-
tween the employees who could be assigned to that task. Thus, the
administrator would be aided by an analysis system that presents a
list of other employees to whom the responsibility could be trans-
ferred, allowing him to make the final selection. On the other hand,
if this re-assignment is viewed as impractical or excessively ex-
pensive, then the administrator may instead choose to adjust the
business rules, perhaps by accepting a weaker level of protection in
which the employee is asked to personally enforce the rule.
Two of the fundamental components in PolicyMorph are its logi-
of these are based on order-sorted first-order logic , which is
capable of supporting very expressive policies . We then de-
scribe our interactive environment for resolving constraint viola-
tions and provide examples of policies where an administrator’s
violations with the help of PolicyMorph’s suggestions and analysis.
This analysis is complicated by the fact that PolicyMorph policies
can use dynamic contextual information from external sources to
make access decisions. We show how this functionality can be sup-
ported without significantly complicating policy definitions, and
while still preserving safety with respect to constraints. In partic-
ular, in one of our examples the location of a subject represented
within the access control system is inferred using presence infor-
mation from an instant messaging protocol and has actually been
implemented in our prototype. We demonstrate how our proto-
type operates as an access decision function using a representative
policy for a building automation system in a sophisticated, object-
oriented application, and also demonstrate our interactive policy
administration tool using that policy.
The rest of this paper is organized as follows. In Section 2 we
lar fashion, Section 3 presents our transformation framework. Sec-
tion 4 describes an architecture and prototype implementation of
these systems. Section 5 describes an evaluation of the approach
using the prototype to carry out a case study. Section 6 discusses
related work. Section 7 concludes the paper and summarizes our
2.POLICIES AND CONSTRAINTS
In this section we present the major components of our system,
namely the access control policies, the models needed to interpret
them, and the the constraints to be imposed on them. We assume
that the reader is familiar with first-order logic.
Access Control Policies.
A low-level access control policy comprises a set of predicates
with a predefined signature that corresponds to the elements of an
access decision request. To accommodate this signature, policies
use a variety of sorts, including S (agents or principals σ, com-
monly known as subjects, that perform actions on objects), O (ob-
jects δ upon which subjects perform actions), Entities (a super-sort
of both S and O), Actions (η), Contexts (runtime information γ that
can be incorporated into access decisions), and Justifications (com-
pound terms κ that specify every reason that a positive access deci-
sion was provided). More formally, a policy is a first-order formula
which can be represented as follows:
f ⇒ Permitted(σ,δ,η,γ,κ)
Whenever this formula is satisfied, it indicates that the correspond-
ing access request should be granted. To understand the role of κ,
one should consider it to be an output of the predicate, rather than
an input parameter to be tested. It is not used in the decision mak-
ing process, but is simply unified with the reasons that a positive
access decision were made, as discussed in more detail later.
Members of Contexts represent a specific set of conditions that
control system is integrated. Each context is a relation that maps
arbitrary, application-defined keys to arbitrary values:
∀γ ∈ Contexts. γ ⊆ CtxKeys × CtxValues,
where CtxKeys and CtxValues are application-defined sorts. Each
context relation is customarily a partial function. However, the pol-
icy for each application has the freedom to define its own mecha-
nisms for representing and processing contextual information.
Elements of Justifications are used to convey the exact reasons
that a particular access decision is granted. Using a backtracking
engine like the one built into Prolog interpreters , it is possi-
ble to determine all possible justifications for a particular access
Each element of Justifications can be formally expressed as a
set of individual reasons for why a positive decision was made, al-
though the same formulation could also be used to justify negative
decisions if our system supported such decisions. Justifications are
simply sets of reasons and sets of labels. We now present each
reason currently recognized by our framework:
∀ε ∈ Entities,∀α ∈ A.
HasAttr(ε,α) ∈ Reasons ∧
NotHasAttr(ε,α) ∈ Reasons
The HasAttr reason specifies that the entity ε possesses a spe-
cific attribute α, whereas NotHasAttr signifies that ε lacks α. This
convention is also used for the following reasons. Any reason with
a name prefixed by “Not” carries the opposite meaning of the pos-
itive reason with the same parameters.
∀ε ∈ Entities,∀α ∈ A.
HasSubAttr(ε,α) ∈ Reasons ∧
NotHasSubAttr(ε,α) ∈ Reasons
The HasSubAttr reason specifies that the entity ε possesses an
attribute that has the specified attribute α as a direct or indirect
parent in the attribute hierarchy (the hierarchy will be described
later and is reflexive, so that the specified attribute itself is included
in the set of acceptable attributes).
∀ε ∈ Entities.
IsNamed(ε) ∈ Reasons ∧
NotIsNamed(ε) ∈ Reasons
The IsNamed reason is required because policies can take the
request into consideration when making the decision.
These reasons can be used to describe the operation of typical
policies supported by our system. Specifically, the framework sup-
ports permission terms that consider the association or disassocia-
tion of an attribute to an entity, or the identity or non-identity of an
entity when making an access decision. However, administrators
are not restricted to those policies that can be characterized by this
justification framework. Any term that is not specially supported
by the framework will be wrapped in a generic reason that simply
conveys the term verbatim.
arithmetic variables. This is a feature that may prove beneficial to
PolicyMorph if implemented in the future.
Our system uses justifications to encode the reasons that a partic-
ular positive access control decision was made. These justifications
are used to audit the normal operation of the system and also to
resolve constraint violations. Other systems have been developed
that generate reasons for negative access control decisions, such as
Know . However, these reasons are presented to the subjects
themselves, rather than being reserved for those with access to the
policy administrative system and audit log. Thus, Know must take
special precautions to ensure that subjects are unable to manipulate
the system and determine significant portions of the access con-
trol policy from the denial justifications they receive. PolicyMorph
and Know provide two different examples of how access decision
justifications can be useful to both users and administrators.
Margrave is a system for analyzing access control policies writ-
ten in a subset of XACML . It allows authorization constraints to
be encoded and validated, and also provides change analysis func-
tionality, so that all the permission changes introduced by policy
changes can be enumerated. Our system provides similar function-
ality for a logical policy language, and also provides an interactive
environment that suggests resolutions to constraint violations.
An Attribute-Based Access Control framework constructed
in Constraint-Logic Programming was motivated and presented
in . It has a good discussion of why ABAC is often prefer-
able to RBAC and other models. The logical model used in 
is focused on sets of attributes and services, rather than subjects
and objects, although it provides similar capabilities to our under-
lying policy system. The paper also has a discussion of policy opti-
mization techniques that could be applied to optimize our policies.
Again, it lacks resolution strategies.
7.CONCLUSIONS AND FUTURE WORK
In conclusion, PolicyMorph advances the state-of-the-art in log-
ical ABAC access control policy and constraint models by intro-
ducing an interactive policy validation and transformation method-
ology that leverages the knowledge and preferences of a human
administrator while still assisting the administrator in the decision
process and providing comprehensive analysis of transformation
effects. We have demonstrated the utility of our system using real-
istic building automation scenarios drawn from an academic setting
and integrating dynamic contextual information.
Since our policy administration tool is fully functional, in the
future we would like to develop a graphical interface to assist with
iterative access control policy and model design and maintenance.
We would like to thank Sundeep Reddy for participating with
the authors on this project. Nikita Borisov, Michael Reiter, Xin-
ming Ou, Marrianne Winslett, Roy Maxion, Anupam Datta, and
Matt Bishop all provided helpful comments on our project that in-
fluenced this paper. This work was partially supported by: NSF
CNS05-5170 CNS05-09268 CNS05-24695, ONR N00014-04-1-
0562 N00014-02-1-0715, and a grant from MacArthur Foundation.
Michael LeMay was supported on an NDSEG fellowship from the
 A. Ant´ on, J. Earp, D. Bolchini, Q. He, C. Jensen, and
W. Stufflebeam. The Lack of Clarity in Financial Privacy
Policies and the Need for Standardization. IEEE Security &
Privacy, 2(2):36–45, 2004.
 S. Barker and P. J. Stuckey. Flexible access control policy
specification with constraint logic programming. ACM
Trans. Inf. Syst. Secur., 6(4):501–546, 2003.
 D. Bell and L. Lapadula. Secure computer systems:
Mathematical foundations (volume 1). Technical report,
 K. J. Biba. Integrity Considerations for Secure Computer
Systems. Technical Report ESD-TR-76-372, USAF
Electronic Systems Division, Bedford, MA, Apr. 1977. (Also
available through National Technical Information Service,
Springfield Va., NTIS AD-A039324.).
 J. P. Boyer, K. Tan, and C. A. Gunter. Privacy sensitive
location information systems in smart buildings. In SPC ’05:
Proceedings of the 3rd International Conference on Security
in Pervasive Computing, 2005.
 T. Breaux and A. Ant´ on. Deriving Semantic Models from
Privacy Policies. Proc. IEEE 6 thWorkshop on Policies for
Distributed Systems and Networks, Stockholm, Sweden,
pages 67–76, 2005.
 J. Crampton. Specifying and enforcing constraints in
role-based access control. In SACMAT ’03: Proceedings of
the eighth ACM symposium on Access control models and
technologies, pages 43–50, New York, NY, USA, 2003.
 B. Demoen and P. Nguyen. Odd Prolog benchmarking. KU
Leuven, CW report, 312, 2001.
 K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C.
Tschantz. Verification and change-impact analysis of
access-control policies. In ICSE ’05: Proceedings of the 27th
international conference on Software engineering, pages
 J. Halpern and V. Weissman. Using first-order logic to reason
about policies. Computer Security Foundations Workshop,
2003. Proceedings. 16th IEEE, pages 187–201.
 T. Jaeger, R. Sailer, and X. Zhang. Resolving constraint
conflicts. In SACMAT ’04: Proceedings of the ninth ACM
symposium on Access control models and technologies,
pages 105–114, New York, NY, USA, 2004. ACM Press.
 T. Jaeger and J. E. Tidswell. Practical safety in flexible
access control models. ACM Trans. Inf. Syst. Secur.,
 A. Kapadia, G. Sampemane, and R. H. Campbell. Know why
your access was denied: regulating feedback for usable
security. In CCS ’04: Proceedings of the 11th ACM
conference on Computer and communications security,
pages 52–61, New York, NY, USA, 2004. ACM Press.
 M. J. May, C. A. Gunter, and I. Lee. Privacy APIs: Access
control techniques to analyze and verify legal privacy rules.
In Computer Security Foundations Workshop (CSFW ’06),
Venice, Italy, July 2006. IEEE.
 R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E.
Youman. Role-based access control models. IEEE Computer,
 J. G. Stell. A framework for order-sorted algebra. In AMAST
’02: Proceedings of the 9th International Conference on
Algebraic Methodology and Software Technology, pages
396–411, Reunion Island, France, September 2002.
 L. Sterling and E. Shapiro. The art of Prolog (2nd ed.):
advanced programming techniques. MIT Press, Cambridge,
MA, USA, 1994.
 L. Wang, D. Wijesekera, and S. Jajodia. A logic-based
framework for attribute based access control. In FMSE ’04:
Proceedings of the 2004 ACM workshop on Formal methods
in security engineering, pages 45–55, New York, NY, USA,
2004. ACM Press.