Knowledge management can exploit the new opportunities offered by computer networks and pursue its goals by sharing knowledge among the members of virtual communities. Secure distributed knowledge management introduces new requirements. First, participants should not give up their autonomy to prohibit access to knowledge to users they do not trust, even when the users satisfy the security rules of the virtual community. Second, the rules of policies for managing knowledge in a secure way do not concern only what knowledge the users are prohibited or permitted to access, but they also concern which regulations their members are allowed or obliged to enforce. This is a challenge, because rules refer usually to the actions of users and not to other rules which are obligatory or permitted to adopt. In this paper we introduce a model of policies for secure knowledge management in virtual communities which satisfies the above requirements. The methodology we use is to model distributed knowledge management by means of normative multi-agent systems. Each member of the virtual community is a normative system which interacts with other members and poses prohibitions and permissions about access to its knowledge. 1 1

Abstract. We explain the raison d’être and basic ideas of our gametheoretic approach to normative multiagent systems, sketching the central elements with pointers to other publications for detailed developments.

We are interested in the design of policies for virtual communities of agents based on the grid infrastructure. In a virtual community agents can play both the role of resource consumers and the role of resource providers, and they remain in control of their resources. We argue that this requirement creates a distinction between two dimensions: global vs local and centralized and decentralized control by means of policies. The providers should be enabled to specify their local policies on their own resources, but their policies should be consistent with the global policies. At the same time, some aspects of the decentralized control should be delegated to specialized providers; this delegation requires a distinction between the authorization to access a resource and a permission to do so. 1

Community decisions about access control in virtual communities are non-monotonic in nature. This means that they cannot be expressed in current, monotonic trust management languages such as the family of Role Based Trust Management languages (RT). To solve this problem we propose RT⊖, which adds a restricted form of negation to the standard RT language, thus admitting a controlled form of non-monotonicity. The semantics of RT⊖ is discussed and presented in terms of the well-founded semantics for Logic Programs. Finally we discuss how chain discovery can be accomplished for RT⊖.