An access control system enforces a policy that governs access to a resource. For a given principal (e.g., a user named “Joe”) and a given resource (e.g., a file named “foo.txt”), an access control system may determine whether Joe can access foo.txt.
Access rights may be obtained by way of delegation from one or more principals. For example, the authority over the resource, and/or the policy enforced by a guard that controls access to the resource, may give one or more principals the right to grant access rights to other principals. In some cases, the relationships that the policy defines among principals, and between the principals and the resource, may be complex. When these relationships are complex, it may not be clear to a human what delegations would support a goal of allowing a particular principal access to a resource. Logic-based security models, such as the Security Policy Assertion Language (“SecPAL”) enable complex policies over a resource to be created and enforced. For example, the security policy over the file foo.txt may grant a principal (e.g., a user named “Joe”) the right to allow another principal the right to read foo.txt, as long as such other principal is a member of a particular group (e.g., “Group 1”). That same policy may grant to another principal (e.g., a user named “Susan”) the right to assign principals membership in Group 1. Another policy may call for access rights to be time-limited—e.g., perhaps the policy allows Joe to give another principal the right to read foo.txt, but calls for any such rights to expire no more than one hour from the time the delegation is made. In this example, achieving the goal of allowing Bob to access foo.txt involves delegative action by two users (Joe and Susan), and also involves knowing the current time.
When the policy governing access to a resource is defined by a complex set of rules, it may be difficult to know what assertions (such as delegations or other credentials) are to exist if an access request is to be granted. An access request may fail because one does not know what delegations are to be made to satisfy the access policy. Moreover, even if one determines what delegations would satisfy the policy, one may not know what delegations have already been made or could be made.