Abstract: Policy refinement is an important method to resolve the configuration complexity of access control policies for distributed applications. Although the current policy refinement techniques make it possible to describe the layered policies and refine the policies layer by layer, it is not easy of these methods to describe and analyze the associated attributes among different policies. The wide use of policy refinement is thus hindered. In this paper, new methods for the description of policies and relationships among them such as composition, mutual exclusion, refinement and path cooperation are given. A new algorithm for policies refinement with relationship description ability is proposed. A refine-tree construction method with the capability of describing the policies and the relationships among these policies is also proposed with the algorithm. This provides a basis for solving the issue of the associating attributes between policies in the policy refinement process. The policies refine-tree can also be used to demonstrate the SLA (service-level agreement) of access control.

Key words: model driven architecture, access control, policy description, policy refinement, policy conflict analysis, associated attribute