Collaborative and distributed applications, such as dynamic coalitions and virtualized grid computing, often require integrating access control policies of collaborating parties. Such an integration must be able to support complex authorization specifications and the fine-grained integration requirements that the various parties may have. In this paper, we introduce an algebra for fine-grained integration of sophisticated policies. The algebra, which consists of three binary and two unary operations, is able to support the specification of a large variety of integration constraints. To assess the expressive power of our algebra, we introduce a notion of completeness and prove that our algebra is complete with respect to this notion. We then propose a framework that uses the algebra for the fine-grained integration of policies expressed in XACML. We also present a methodology for generating the actual integrated XACML policy, based on the notion of Multi-Terminal Binary Decision Diagrams.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	http://fke.utm.my/downloads/espresso/.
	2	Extensible access control markup language (XACML) version 2.0, OASIS Standard, 2005.
	3	A. Anderson. Evaluating xacml as a policy language. Technical report, OASIS, 2003.
	4	Ofer Arieli , Arnon Avron, The value of the four values, Artificial Intelligence, v.102 n.1, p.97-141, June 1998  [doi>10.1016/S0004-3702(98)00032-0]
	5	P. Ashley, S. Hada, G. Karjoth, C. Powers, and M. Schunter. Enterprise privacy authorization language (EPAL).
	6	Research report 3485, IBM Research, 2003.
	7	M. Backes, M. Duermuth, and R. Steinwandt. An algebra for composing enterprise privacy policies. In Proceedings of 9th European Symposium on Research in Computer Security (ESORICS), volume 3193 of Lecture Notes in Computer Science, pages 33--52. Springer, September 2004.
	8	Piero Bonatti , Sabrina De Capitani di Vimercati , Pierangela Samarati, An algebra for composing access control policies, ACM Transactions on Information and System Security (TISSEC), v.5 n.1, p.1-35, February 2002  [doi>10.1145/504909.504910]
	9	Glenn Bruns , Daniel S Dantas , Michael Huth, A simple and expressive semantic framework for policy composition in access control, Proceedings of the 2007 ACM workshop on Formal methods in security engineering, p.12-21, November 02-02, 2007, Fairfax, Virginia, USA  [doi>10.1145/1314436.1314439]
	10	Kathi Fisler , Shriram Krishnamurthi , Leo A. Meyerovich , Michael Carl Tschantz, Verification and change-impact analysis of access-control policies, Proceedings of the 27th international conference on Software engineering, May 15-21, 2005, St. Louis, MO, USA  [doi>10.1145/1062455.1062502]
	11	M. Fujita , P. C. McGeer , J. C.-Y. Yang, Multi-Terminal Binary Decision Diagrams: An Efficient DataStructure for Matrix Representation, Formal Methods in System Design, v.10 n.2-3, p.149-169, April -May 1997  [doi>10.1023/A:1008647823331]
	12	O. Grumberg, S. Livne, and S. Markovitch. Learning to order bdd variables in verification. Journal of Artificial Intelligence Research, 18:83--116, 2003.
	13	J. Halpern and V. Weissman. Using first-order logic to reason about policies. In Proceedings of the Computer Security Foundations Workshop (CSFW'03), 2003.
	14	Radha Jagadeesan , Will Marrero , Corin Pitcher , Vijay Saraswat, Timed constraint programming: a declarative approach to usage control, Proceedings of the 7th ACM SIGPLAN international conference on Principles and practice of declarative programming, p.164-175, July 11-13, 2005, Lisbon, Portugal  [doi>10.1145/1069774.1069790]
	15	N. Martin. The sheffer functions of 3-valued logic. The Journal of Symbolic Logic, 19(1):45--51, 1954.
	16	P. Mazzoleni , E. Bertino , B. Crispo , S. Sivasubramanian, XACML policy integration algorithms: not to be confused with XACML policy combination algorithms!, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA  [doi>10.1145/1133058.1133089]
	17	Patrick McDaniel , Atul Prakash, Methods and limitations of security policy reconciliation, ACM Transactions on Information and System Security (TISSEC), v.9 n.3, p.259-291, August 2006  [doi>10.1145/1178618.1178620]
	18	P. Rao, D. Lin, E. Bertino, N. Li, and J. Lobo. An algebra for fine-grained integration of xacml policies. Technical report, CERIAS, 2008.
	19	G. Rousseau. Completeness in finite algebras with a single operation. Proceedings of the American Mathematical Society, 18(6):1009--1013, 1966.
	20	Fred B. Schneider, Enforceable security policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.1, p.30-50, Feb. 2000  [doi>10.1145/353323.353382]
	21	R. Wheeler. Complete connectives for 3-valued propositional calculus. Proceedings of London Mathematical Society, 3(16):167--191, 1966.
	22	Duminda Wijesekera , Sushil Jajodia, A propositional policy algebra for access control, ACM Transactions on Information and System Security (TISSEC), v.6 n.2, p.286-325, May 2003  [doi>10.1145/762476.762481]