Policy Conflict Analysis in Distributed System Management 12 April 1993

Distributed system management is concerned with the tasks needed to ensure that large distributed systems can function in accordance with the objectives of their users. These objectives are typically set out in the form of policies which are interpreted by the system managers. There are benefits to be gained by providing automated support for human managers, or actually automating routine management tasks. In order to do this, it is desirable to have a model of policies as objects which can be interpreted by the system itself. The model is summarised. It is clear that there is the potential for conflicts between policies. These conflicts may be resolved informally by human managers, but if an automated system is to recognise them and resolve them appropriately it is necessary first of all to analyse the types of conflict which may occur. We analyse the types of overlap which may occur between policies, and show that this analysis corresponds to several familiar types of policy conflict. Some possible approaches to the prevention and resolution of conflicts are suggested, and this work is put into the context of other work on policies and related areas, including deontic logic.

[1]  Randall Davis,et al.  Frameworks for Cooperation in Distributed Problem Solving , 1988, IEEE Transactions on Systems, Man, and Cybernetics.

[2]  Brian W. Hogwood,et al.  Policy Analysis For The Real World , 1984 .

[3]  Mark Dowson ISTAR—an integrated project support environment , 1987, SDE 2.

[4]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[5]  S.M. Klerer The OSI management architecture: an overview , 1988, IEEE Network.

[6]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[7]  Susan Leigh Star,et al.  The Structure of Ill-Structured Solutions: Boundary Objects and Heterogeneous Distributed Problem Solving , 1989, Distributed Artificial Intelligence.

[8]  Hans Weigand,et al.  Specifying Dynamic and Deontic Integrity Constraints , 1989, Data Knowl. Eng..

[9]  Morris Sloman,et al.  Specifying discretionary access control policy for distributed systems , 1990, Comput. Commun..

[10]  J. Doug Tygar,et al.  Miró: Visual Specification of Security , 1990, IEEE Trans. Software Eng..

[11]  Michael J. Nash,et al.  Some conundrums concerning separation of duty , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  Hans Hermann Brüggemann,et al.  Rights in an Object-Oriented Environment , 1991, DBSec.

[13]  James Bret Michael,et al.  On the Axiomatization of Security Policy: Some Tentative Observations about Logic Representation , 1993, DBSec.

[14]  Barry Varley,et al.  User administration and accounting , 1994 .