As systems evolve, security administrators need to review and update access control policies. Such updates must be carefully controlled due to the risks associated with erroneous or malicious policy changes. We propose a category-based access control (CBAC) model, called
Admin-CBAC
, to control administrative actions. Since most of the access control models in use nowadays (including the popular RBAC and ABAC models), are instances of CBAC, from
Admin-CBAC
we derive administrative models for RBAC and ABAC too. We present a graph-based representation of
Admin-CBAC
policies and a formal operational semantics for administrative actions via graph rewriting. We also discuss implementations of
Admin-CBAC
exploiting the graph-based representation. Using the formal semantics, we show how properties (such as safety, liveness and effectiveness of policies) and constraints (such as separation of duties) can be checked, and discuss the impact of policy changes. Although the most interesting properties of policies are generally undecidable in dynamic access control models, we identify particular cases where reachability properties are decidable and can be checked using our operational semantics, generalising previous results for RBAC and
ABAC
α
.