Flexible access control policy specification with constraint logic programming

Steve Barker, Peter J. Stuckey

Research output: Contribution to journalArticleResearchpeer-review

95 Citations (Scopus)


We show how a range of role-based access control (RBAC) models may be usefully represented as constraint logic programs, executable logical specifications. The RBAC models that we define extend the "standardμ RBAC models that are described by Sandhu et al., and enable security administrators to define a range of access policies that may include features, like denials of access and temporal authorizations, that are often useful in practice, but which are not widely supported in existing access control models. Representing access policies as constraint logic programs makes it possible to support certain policy options, constraint checks, and administrator queries that cannot be represented by using related methods (like logic programs). Representing an access control policy as a constraint logic program also enables access requests and constraint checks to be efficiently evaluated.

Original languageEnglish
Pages (from-to)501-546
Number of pages46
JournalACM Transactions on Information and System Security
Issue number4
Publication statusPublished - 1 Nov 2003
Externally publishedYes


  • Constraint logic programming
  • Role-based access control

Cite this