Access-Control Policies Via Belnap Logic: Effective and Efficient Composition and Analysis

It is difficult to develop and manage large, multi-author access control policies without a means to compose larger policies from smaller ones. Ideally, an access-control policy language will have a small set of simple policy combinators that allow for all desired policy compositions. A policy language was presented by the authors, having policy combinators based on Belnap logic, a four-valued logic in which truth values correspond to policy results of "Grant", "Deny", "Conflict", and "Undefined". The authors show here how policies in this language can be analyzed, and study the expressiveness of the language. To support policy analysis, they define a query language in which policy analysis questions can be phrased.