On the Expressive Power of Negated Conditions and Negative Authorizations in Access Control Models

Abstract

Access control policies specify which access requests should be allowed or denied in a system. Many access control policy models have used the concept of “negation” as part of their policy language, to enable fine-grained specification of authorizations. We identify two forms of this concept in the literature, namely, negated conditions and negative authorizations (deny rules). We argue that the choice of supporting negated conditions or negative authorizations can affect the expressive power of a policy model. Understanding their differences is crucial for designing an appropriate policy model for an intended application. However, no prior work has concretely analyzed them.In this work, we formally analyze the expressive power of negated conditions and negative authorizations. We formulate two abstract policy models that support negated conditions and negative authorizations (including consideration of different meta-policies). Then, using a logic-based representation of policies, we prove the relative expressive power of those models in the context of a formal access control expressiveness analysis framework. The main result of our analysis is that models which support negated conditions are more expressive than models that support negative authorizations. That is, using negated conditions, we can represent all policies that can be expressed using negative authorizations. However, the converse is not true, i.e., negative authorizations cannot fully represent policies supporting negated conditions.