Using Soft Constraints for Deduction and Abduction in Policy-based Access Authorization 1