15-17 November 1999
The workshop has been extended to 17 November to allow more position papers and to permit extensive discussion without any parallel sessions
HP-Laboratories, Bristol, U.K.
There has been considerable work in the security community on specification and analysis of access control policy which has evolved into the work on Role-Based Access Control (RBAC). Policies are also used for the management of networks and distributed systems. Management policies have concentrated on authorisation policy to specify what a manager is permitted to do and obligation policies which specify what a manager must do. There are also policies related to allocation of resources within a network or system e.g., the recent interest, within the Internet community, in policies for bandwidth management. Although there are strong similarities in the concepts and techniques used by the different communities there is no commonly accepted notation for specifying policy.
There are also groups looking at high-level aspects of policy related to Enterprise Modelling. The ISO Open Distributed Processing working groups are defining Policy and Role concepts within the Enterprise Language. Roles are used to specify policies independent of the person or object assigned to the role and to group policies associated with a position in an organisation. There is a need to be able to analyse policies to determine inconsistencies and conflicts. Furthermore, policies may initially be specified at an abstract level and progressively refined into implementable specifications. Related work on Requirements Engineering addresses some of these issues providing tools and techniques for refining high-level goals (whi