Designing and evaluating weighted delegatable authorizations

This paper studies logic-based methods for representing and evaluating complex access control policies needed by modern applications. In our framework, authorization and delegation rules are specified in a weighted delegatable authorization program, which is an extended logic program. We show how extended logic programs can be used to specify complex security policies, which support weighted administrative privilege delegation, weighted positive and negative authorizations, and weighted authorization propagations. We also present a conflict resolution method that enables flexible delegation control by considering priorities of authorization grantors and weights of authorizations. We show how this method can be specialized to achieve many of the current existing conflict resolution methods. A number of rules are provided to achieve delegation depth control, conflict resolution, and authorization and delegation propagations. We also show how to use SMODELS to implement weighted delegatable authorization program.