Abstract. Policies are being increasingly used for automated system management and controlling the behavior of complex systems, allowing administrators to modify system behavior without changing source code or requiring the consent or cooperation of the components being governed. Past approaches to policy representation have been restrictive in many ways. By way of contrast, semantically-rich policy representations can reduce human error, simplify policy analysis, reduce policy conflicts, and facilitate interoperability. In this paper, we compare three approaches to policy representation, reasoning, and enforcement. We highlight similarities and differences between Ponder, KAoS, and Rei, and sketch out some general criteria and properties for more adequate approaches to policy semantics in the future. 1

As the interest in using policy-based approaches for systems management grows, it is becoming increasingly important to develop methods for performing analysis and refinement of policy specifications. Although this is an area that researchers have devoted some attention to, none of the proposed solutions address the issue of deriving implementable policies from high-level goals. A key part of the solution to this problem is having the ability to identify the operations, available on the underlying system, which can achieve a given goal. This paper presents an approach by which a formal representation of a system, based on the Event Calculus, can be used in conjunction with abductive reasoning techniques to derive the sequence of operations that will allow a given system to achieve a desired goal. Additionally it outlines how this technique might be used for providing tool support and partial automation for policy refinement. Building on previous work on using formal techniques for policy analysis, the approach presented here applies a transformation of both policy and system behaviour specifications into a formal notation that is based on Event Calculus. Finally, it shows how the overall process could be used in conjunction with UML modelling and illustrates this by means of an example. 1.

In this work, we have been principally concerned with the representation of contracts so that their normative state may be tracked in an automated fashion over their deployment lifetime. The normative state of a contract, at a particular time, is the aggregation of instances of normative relations that hold between contract parties at that time, plus the current values of contract variables. The effects of contract events on the normative state of a contract are specified using an XML formalisation of the Event Calculus, called ecXML. We use an example mail service agreement from the domain of web services to ground the discussion of our work. We give a characterisation of the agreement according to the normative concepts of: obligation, power and permission, and show how the ecXML representation may be used to track the state of the agreement, according to a narrative of contract events. We also give a description of a state tracking architecture, and a contract deployment tool, both of which have been implemented in the course of our work. 1

Role-Based Access Control (RBAC) is a widely used model for expressing access control policies. In large organizations, the RBAC policy may be collectively managed by many administrators. Administrative RBAC (ARBAC) is a model for expressing the authority of administrators, thereby specifying how an organization’s RBAC policy may change. Changes by one administrator may interact in unintended ways with changes by other administrators. Consequently, the effect of an ARBAC policy is hard to understand by simple inspection. In this paper, we consider the problem of analyzing ARBAC policies, in particular to determine reachability properties (e.g., whether a user can eventually be assigned to a role by a group of administrators) and availability properties (e.g., whether a user cannot be removed from a role by a group of administrators) implied by a policy. We first establish the connection between security policy analysis and planning in Artificial Intelligence. Based partly on this connection, we show that reachability analysis for ARBAC is PSPACE-complete. We also give algorithms and complexity results for reachability and related analysis problems for several categories of AR-BAC policies, defined by simple restrictions on the policy language. 1.

Abstract. Presently, there is no satisfactory model for dealing with political autonomy of agents in policy based management. A theory of atomic policy units called ‘promises ’ is therefore discussed. Using promises, a global authority is not required to build conventional management abstractions, but work is needed to bind peers into a traditional authoritative structure. The construction of promises is precise, if tedious, but can be simplified graphically to reason about the distributed effect of autonomous policy. Immediate applications include resolving the problem of policy conflicts in autonomous networks. 1

Policy-based management provides the ability to (re-)configure differentiated services networks so that desired Quality of Service (QoS) goals are achieved. Relevant configuration involves implementing network provisioning decisions, performing admission control, and adapting bandwidth allocation dynamically according to emerging traffic demands. A policy-based approach facilitates flexibility and adaptability in that the policies can be changed without changing the implementation. However, as with any other complex system, conflicts and inconsistencies may arise in the policy specification. In this work, we concentrate on the policy conflicts that may occur for static resource management aspects of QoS provisioning, known as Network Dimensioning. The paper shows how conflict detection can be achieved using Event Calculus in conjunction with abductive reasoning techniques to detect the existence of potential conflicts in partial specification and generate explanations for the conditions under which the conflicts arise. We finally present some conflict detection examples from our initial implementation of a policy conflict analysis tool. Although we focus on network dimensioning, many of the types of conflicts we illustrate could arise in other applications. 1.

Utility Computing (UC) is concerned with the provisioning of computational resources (compute-power, storage, network bandwidth), on a per-need basis, to corporate businesses. Service-level Agreements (SLAs)-contracts between a provider and a customer- are a sine qua non in the deployment of UC. A crucial stage in the life-cycle of contracts (such as SLAs) is their automated performance monitoring while active; a significant aspect of which concerns the tracking of contract state. In this work, we define an ontology to capture aspects of SLAs that are pertinent to the tracking of state for performance monitoring, and generalise these aspects so that the ontology may be applicable to other contract domains. The ontology is formalised as an XML-based language, called CTXML (contract tracking XML). The semantics for CTXML are presented in terms of a computational model based on the Event Calculus. 1.

The last years have seen a major interest in designing and deploying trust management and public key infrastructures. Yet, it is still far from clear how one can pass from the organization and system requirements to the actual credentials and attribution of permissions in the PKI infrastructure.

We present a model for policy based management, stressing the role of decisive autonomy in generalized networks. The organization and consistency of agent cooperation is discussed within a cooperative network. We show that some simple rules can eliminate formal inconsistencies, allowing robust approximations to management. Using graph theoretical ranking methods, we evaluate also the probable consistency and robustness of cooperation in a network region. Our theory makes natural contact with social network models in building a theory of pervasive computing. We illustrate our model with a number of examples. Index Terms Configuration management, ad hoc networks, peer to peer, pervasive computing. I.

The automated performance monitoring of contracts, in terms of tracking contract state, is an important issue investigated in this work. We define contract state to be the sum of the normative relations that hold between contract parties. In order to facilitate state tracking, we define an XML formalisation of the Event Calculus, ecXML. This language is used to describe how a contract’s state evolves, according to events that are described in the contract. The work is grounded in the domain of Utility Computing (UC). UC is concerned with the provisioning of computational resources (computepower, storage, network bandwidth), on a per-need basis, to corporate businesses. Service-level Agreements (SLAs)- contracts between a provider and a customer-are a sine qua non in the deployment of UC. 1.