The authors of this paper demonstrate a comprehensive framework to compose, analyze, and handle complex access control policy as algebra of abstracted symbols that are independent of security policy models and implementation. The algebra includes a complete set of operators, including union, conjunction, difference, negation, scoping, provisioning, sequential composition, completion, and conflict resolution, to effectively describe manipulation with access control policies of different kinds. The policies, as elements of the algebra, are defined as non-deterministic transformers on permission set assignments to subjects, where permission sets are interpreted as collections of the (object, action) pairs. Therefore, complicated security environments with their enforcement mechanisms can be modeled in terms of this approach.

Comprehensive theoretical analysis of the operators is the focus of this paper, which provides practical algebraic rules to determine cases when two policies are equivalent.

Such valuable features of composed policies as completeness, consistency, and determinism are also explored in depth. As a result, the authors present efficient methods that allow effective policy expressions and condition identification when composed policies preserve their consistency, completeness, or determinism.

The proposed framework equips software engineers with the ability to construct complex access control policies from simple atomic policies, and provides a universal approach to compare and reuse already existing policies. Developers of security and protection technologies also will benefit from reading this paper.