We present a declarative authorization language. Policies and credentials are expressed using predicates defined by logical clauses, in the style of constraint logic programming. Access requests are mapped to logical authorization queries, consisting of predicates and constraints combined by conjunctions, disjunctions, and negations. Access is granted if the query succeeds against the current database of clauses. Predicates ascribe rights to particular principals, with flexible support for delegation and revocation. At the discretion of the delegator, delegated rights can be further delegated, either to a fixed depth, or arbitrarily deeply.Our language strikes a careful balance between syntactic and semantic simplicity, policy expressiveness, and execution efficiency. The syntax is close to natural language, and the semantics consists of just three deduction rules. The language can express many common policy idioms using constraints, controlled delegation, recursive predicates, and negated queries. We describe an execution strategy based on translation to Datalog with Constraints, and table-based resolution. We show that this execution strategy is sound, complete, and always terminates, despite recursion and negation, as long as simple syntactic conditions are met.
Appendix. Auxiliary definitions and proofsThis appendix contains proofs of all theorems stated in the main part of the paper as well as supporting lemmas and definitions.
A.1. Authorization queriesProof. By induction on the definition of . Lemma A.2. Let AC be safe. If AC, θ e says fact then dom(θ) = vars(e says fact). Proof. Follows immediately from the definitions of and |=. Lemma A.3. If I q: O then for all substitutions θ that map variables to constants, I − dom(θ) qθ: O − dom(θ). Proof. By induction on q. Corollary A.4. If I q: O and I ⊆ dom(θ) then qθ is safe, for all substitutions θ that map variables to constants. Lemma A.5. If ∅ q: O and AC, θ q then O ⊆ dom(θ).
Proof. By induction on q.Suppose q ≡ e says fact. Then O = vars(e says fact) = dom(θ), by Lemma A.2. Suppose q ≡ q 1 , q 2 and θ ≡ θ 1 θ 2 . By the induction hypothesis, O 1 ⊆ dom(θ 1 ). Therefore, by Lemma A.3, ∅ q 2 θ 1 : O 2 − dom(θ 1 ). Then by the induction hypoth-The other cases are straightforward.Lemma A.6. If AC and q 1 , q 2 are safe and AC, θ 1 q 1 then q 2 θ 1 is safe. Proof. From the definition of safety and it follows that ∅ q 1 , q 2 : O 1 ∪ O 2 where ∅ q 1 : O 1 . By Lemma A.5, O 1 ⊆ dom(θ 1 ). Then by Corollary A.4, q 2 θ 1 is safe. 632 M.Y. Becker et al. / SecPAL A.2. Translation into Datalog with Constraints Lemma A.7 (Soundness). Let AC be safe and let P be its Datalog translation. IfProof. We assume A says D fact ∈ T ω P (∅) and prove the statement by induction on stages of T n P .
CaseStep 1 and 2a. If A says D fact is added based on a clause produced by Step 1 or 2a, then by the inductive hypothesis, AC, D |= A says fact i θ for i = 1, . . . , n. Furthermore, cθ is ground and valid, so by Rule (cond), AC, D |= A says fact. Case Step 2b. If A says ∞ fact is added ...
