In this section, we provide a formal examination of policy inconsistencies resolution for the coexistence of SSoD and SA policies.
3.1. Reducing complexity
Once all the inconsistencies are known, we must find a way to resolve them. However, determining which policy to remove is difficult because there may be many policy inconsistencies. In order to simplify the resolution task, we consider as few policies as possible. Thus we reduce the complexity of reasoning about policy inconsistencies by the techniques of static pruning and minimal inconsistency cover set.
3.1.1. Static pruning
SSoD and SA policies can conflict with each other due to their opposite objectives. In general, not all SSoD or SA policies should be taken into account as they do not cause inconsistencies. The following theorem asserts that the special cases of SSoD(or SA) policies do not affect its compatibility with SA(or SSoD) policies. This enables us to remove them from our consideration. This greatly simplifies the problem.
Theorem 3. Let Q = {e_{1}, ..., e_{
m
}, f_{1}, ..., f_{
n
} }, where e_{
i
} = ssod <P_{
i
}, U_{
i
}, k_{
i
} > (1 ≤ i ≤ m),{f}_{j}=ap\phantom{\rule{0.3em}{0ex}}\u27e8{P}_{j}^{\prime},\phantom{\rule{2.77695pt}{0ex}}{U}_{j}^{\prime},\phantom{\rule{2.77695pt}{0ex}}{t}_{j}\u27e9\phantom{\rule{0.3em}{0ex}}\left(1\le j\le n\right). If ∃e_{
i
} ∈ Q[(P_{
i
}  R > 0) ⋁ (U_{
i
} ∩ T = 0)], whereR={\bigcup}_{j=1}^{n}{P}_{j}^{\prime},T={\bigcup}_{j=1}^{n}{U}_{j}^{\prime}, then let Q' = Q'  {e_{
i
} }; If\exists {f}_{j}\in Q\left[\left({U}_{j}^{\prime}\cap S\phantom{\rule{2.77695pt}{0ex}}<{t}_{j}\right)\vee \left({P}_{j}^{\prime}\cap \phantom{\rule{2.77695pt}{0ex}}W\phantom{\rule{2.77695pt}{0ex}}=0\right)\right], whereS={\bigcup}_{i=1}^{m}{U}_{i},\phantom{\rule{2.77695pt}{0ex}}W={\bigcup}_{i=1}^{m}{P}_{i}, then let Q' = Q'  {f_{
j
} }. Q is consistent if and only if Q' is consistent.
PROOF. For the "only if" part, it is clear that if Q is consistent then Q' is consistent as Q' ⊆ Q.
For the "if" part, we show that if Q' is consistent then Q is consistent. Q' is consistent implies that there exists an access control state ε satisfies all policies in Q'. We now construct a new state ε' that satisfies both Q' and Q as follows: for each e_{
i
} ∈ Q/Q', where P_{
i
}  R > 0. Add all users in U_{
i
} to ε, but do not assign any permissions in P_{
i
} ∩ R. In this way, ε' satisfies e_{
i
} as no less than k_{
i
} users in U_{
i
} together having all permissions in P_{
i
} , and note that adding new users will not lead to inconsistency of policies in Q'. If U_{
i
} ∩ T = 0, not assigning any permission in P_{
i
} to any user in U_{
i
} will not lead to inconsistency of policies in Q', but the new state satisfies e_{
i
} . For each f_{
j
} ∈ Q/Q', where {U}_{j}^{\prime}\cap S\phantom{\rule{2.77695pt}{0ex}}<{t}_{j}, add all users in {U}_{j}^{\prime} to ε, and assign all permissions in {P}_{j}^{\prime} to each user in {U}_{j}^{\prime}\cap S. Then there is at least one user u\in {{U}^{\prime}}_{j}/S in each sizet_{
j
} user set in {U}_{j}^{\prime}, as u has all the permissions in {P}_{j}^{\prime}, thus each sizet_{
j
} user set in {U}_{j}^{\prime} together having all the permissions in {P}_{j}^{\prime}. In this way, ε' satisfies f_{
j
} , and note that adding new users, and assigning permissions to these new users will not lead to violation of policies in Q'. If {P}_{j}^{\prime}\cap W\phantom{\rule{2.77695pt}{0ex}}=0, assigning any permissions in {P}_{j}^{\prime} to each user in {U}_{j}^{\prime} will not lead to inconsistency of policies in Q', and thus the new state ε' satisfies f_{
j
} . Therefore, Q is consistent if and only if Q' is consistent. □
3.1.2. Minimal inconsistency cover set
There may exist many policy inconsistencies in a policy set which contains a large number of SSoD and SA policies. But many of these inconsistencies may result from only a small number of these policies, and they may be disjoint with each other. We find the minimal inconsistency cover set is the minimal number of policies that represent a policy inconsistency. Therefore, the key question is how to organize the policy inconsistencies, so as to examine the minimum number of policies that are responsible for all the inconsistencies.
Definition 6. We define a minimal inconsistency cover (MIC) set responsible for a policy inconsistency that includes the smallest number of policies.
Note that for a policy inconsistency, there might be several policy sets that are responsible for this inconsistency. By definition, we say that a set S is an MIC set, if there does not exist another set S' responsible for this inconsistency and S' ⊂ S. We have the following property for MIC.
Theorem 4. Given any two MIC sets A and B, let P_{
A
} denotes the union of permissions in all policies in A, and U_{
A
} denotes the union of users in all policies in A. P_{
B
} and U_{
B
} have the similar meanings. Then (P_{
A
} ∩ P_{
B
} = ∅) ⋁ (U_{
A
} ∩ U_{
B
} = ∅).
PROOF. We assume that (P_{
A
} ∩ P_{
B
} = ∅) ⋁ (U_{
A
} ∩ U_{
B
} = ∅) is false, then (P_{
A
} ∩ P_{
B
} ≠ ∅) ⋀ (U_{
A
} ∩ U_{
B
} ≠ ∅). There are four cases should be considered:

(1)
Permissions and users for {e _{1} , ..., e_{
m
} } ⊆ A(m ≥ 1) and \left\{{e}_{1}^{\prime},\phantom{\rule{2.77695pt}{0ex}}.\phantom{\rule{2.77695pt}{0ex}}.\phantom{\rule{2.77695pt}{0ex}}.\phantom{\rule{2.77695pt}{0ex}},\phantom{\rule{2.77695pt}{0ex}}{e}_{n}^{\prime}\right\}\subseteq B\left(n\ge 1\right) are shared;

(2)
Permissions and users for {e _{1} , ..., e_{
m
} } ⊆ A(m ≥ 1) and {f _{1} , ..., f_{
n
} } ⊆ B(n ≥ 1) are shared;

(3)
Permissions and users for {f _{1} , ..., f_{
m
} } ⊆ A(m ≥ 1) and \left\{{f}_{1}^{\prime},\phantom{\rule{2.77695pt}{0ex}}\dots ,\phantom{\rule{2.77695pt}{0ex}}{f}_{n}^{\prime}\right\}\subseteq B\left(n\ge 1\right) are shared;

(4)
Permissions and users for {e _{1} , ..., e_{
m
}, f _{1} , ..., f_{
n
} } ⊆ A(m ≥ 1, n ≥ 1) and \left\{{e}_{1}^{\prime},\phantom{\rule{2.77695pt}{0ex}}\dots ,\phantom{\rule{2.77695pt}{0ex}}{e}_{l}^{\prime},\phantom{\rule{2.77695pt}{0ex}}{f}_{1}^{\prime},\phantom{\rule{2.77695pt}{0ex}}\dots ,\phantom{\rule{2.77695pt}{0ex}}{f}_{k}^{\prime}\right\}\subseteq B\left(l\phantom{\rule{2.77695pt}{0ex}}\ge 1,\phantom{\rule{2.77695pt}{0ex}}k\ge 1\right) are shared.
For case (1), there exists at least one permission p\in {P}_{\left\{{e}_{1},\dots ,{e}_{m}\right\}}, but p does not belong to any other policies in A. By Theorem 3, {e_{1}, ..., e_{
m
} } does not affect the inconsistency of other permissions in A, and thus {e_{1}, ..., e_{
m
} } can be removed from A. This would contradict the assertion that A is an MIC set. Moreover, there exists at least one permission p\in {P}_{\left\{{e}_{1}^{\prime},\dots ,{e}_{n}^{\prime}\right\}}, but p does not belong to any other policies in B. Thus \left\{{e}_{1}^{\prime},\phantom{\rule{2.77695pt}{0ex}}.\phantom{\rule{2.77695pt}{0ex}}.\phantom{\rule{2.77695pt}{0ex}}.\phantom{\rule{2.77695pt}{0ex}},\phantom{\rule{2.77695pt}{0ex}}{e}_{n}^{\prime}\right\} also can be removed from B. For case (2) and case (3), the proof is essentially the same as the case (1). It should be noted that there exists at least one user u belongs to the policies in {f_{1}, ..., f_{
n
} }, but u does not belong to any other policies in B. Thus {f_{1}, ..., f_{
n
} } should be removed from B by Theorem 3. For case (4), no policies can be removed from \left\{{e}_{1},\phantom{\rule{2.77695pt}{0ex}}\dots ,\phantom{\rule{2.77695pt}{0ex}}{e}_{m},\phantom{\rule{2.77695pt}{0ex}}{f}_{1},\phantom{\rule{2.77695pt}{0ex}}\dots ,\phantom{\rule{2.77695pt}{0ex}}{f}_{n}\right\}\cup \left\{{e}_{1}^{\prime},\phantom{\rule{2.77695pt}{0ex}}\dots ,{e}_{l}^{\prime},\phantom{\rule{2.77695pt}{0ex}}{f}_{1}^{\prime},\phantom{\rule{2.77695pt}{0ex}}\dots ,\phantom{\rule{2.77695pt}{0ex}}{f}_{k}^{\prime}\right\}, which means these policies may conflict with each other due to their opposite objectives. Therefore, these policies should be included by only one MIC set. This would contradict the assertion that A and B are two MIC sets. Together with the above discussions, given any two MIC sets, that (P_{
A
} ∩ P_{
B
} = ∅) ⋁ (U_{
A
} ∩ U_{
B
} = ∅). □
We now give an algorithm to generate the MIC sets for an access control policy set. Algorithm 1 includes an underlying presumption that all SSoD and SA policies which do not cause policy inconsistencies have been removed from our consideration by using "static pruning" technique. Given a policy set Q, the algorithm first divides Q into several subsets by the step 1 to 20. By the step 21 to 27, the algorithm combines the different sets which share the permissions and users. This algorithm has a worstcase time complexity of O(mnMN), where m is the number of SSoD policies, n is the number of SA policies, M is the number of users, N is the number of permissions. The fact that CCP is intractable (coNPcomplete) means that there exist difficult problem instances that take exponential time in the worst case, while efficient algorithms for CCP exist when the number of policies is not too large. MIC helps to reduce the complexity of reasoning about policy inconsistencies.
Example 2. Continuing from Example 1, we add four policies {e_{3}, e_{4}, f_{3}, f_{4}} to Q, Consider the combination of following SSoD and SA policies.
\begin{array}{c}{Q}^{\prime}=\left\{{e}_{1},\phantom{\rule{2.77695pt}{0ex}}{e}_{2},\phantom{\rule{2.77695pt}{0ex}}{e}_{3},\phantom{\rule{2.77695pt}{0ex}}{e}_{4},\phantom{\rule{2.77695pt}{0ex}}{f}_{1},\phantom{\rule{2.77695pt}{0ex}}{f}_{2},\phantom{\rule{2.77695pt}{0ex}}{f}_{3},\phantom{\rule{2.77695pt}{0ex}}{f}_{4}\right\}\\ \phantom{\rule{1em}{0ex}}{e}_{1}=ssod\u27e8\left\{{p}_{1},{p}_{2},{p}_{3}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{1},\phantom{\rule{2.77695pt}{0ex}}{u}_{2},\phantom{\rule{2.77695pt}{0ex}}{u}_{3}\right\},\phantom{\rule{2.77695pt}{0ex}}2\u27e9\\ \phantom{\rule{1em}{0ex}}{e}_{2}=ssod\u27e8\left\{{p}_{1},{p}_{2}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{1},\phantom{\rule{2.77695pt}{0ex}}{u}_{2}\right\},\phantom{\rule{2.77695pt}{0ex}}2\u27e9\\ \phantom{\rule{1em}{0ex}}{e}_{3}=ssod\u27e8\left\{{p}_{4},{p}_{5}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{4},\phantom{\rule{2.77695pt}{0ex}}{u}_{5}\right\},\phantom{\rule{2.77695pt}{0ex}}2\u27e9\\ \phantom{\rule{1em}{0ex}}{e}_{4}=ssod\u27e8\left\{{p}_{4},{p}_{5},{p}_{6}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{4},\phantom{\rule{2.77695pt}{0ex}}{u}_{5},\phantom{\rule{2.77695pt}{0ex}}{u}_{6}\right\},\phantom{\rule{2.77695pt}{0ex}}2\u27e9\\ \phantom{\rule{1em}{0ex}}{f}_{1}=sa\u27e8\left\{{p}_{1},{p}_{2}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{1},\phantom{\rule{2.77695pt}{0ex}}{u}_{2},\phantom{\rule{2.77695pt}{0ex}}{u}_{3}\right\},\phantom{\rule{2.77695pt}{0ex}}2\u27e9\\ \phantom{\rule{1em}{0ex}}{f}_{2}=sa\u27e8\left\{{p}_{2},{p}_{3}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{2},\phantom{\rule{2.77695pt}{0ex}}{u}_{3}\right\},\phantom{\rule{2.77695pt}{0ex}}1\u27e9\\ \phantom{\rule{1em}{0ex}}{f}_{3}=sa\u27e8\left\{{p}_{5},{p}_{6}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{4},\phantom{\rule{2.77695pt}{0ex}}{u}_{6}\right\},\phantom{\rule{2.77695pt}{0ex}}1\u27e9\\ \phantom{\rule{1em}{0ex}}{f}_{4}=sa\u27e8\left\{{p}_{4},{p}_{5},{p}_{6}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{4},\phantom{\rule{2.77695pt}{0ex}}{u}_{6}\right\},\phantom{\rule{2.77695pt}{0ex}}2\u27e9\end{array}
By Theorem 3, no policy can be removed from our consideration by static pruning. But the permissions in {p_{4}, p_{5}, p_{6}} and the users in {u_{4}, u_{5}, u_{6}} only exist in {e_{3}, e_{4}, f_{3}, f_{4}}, and the policies in {e_{3}, e_{4}, f_{3}, f_{4}} do not affect the consistency of {e_{1}, e_{2}, f_{1}, f_{2}}. By Algorithm 1, Q' can be divided into two policy set {Q}_{1}^{\prime}=\left\{{e}_{1},\phantom{\rule{2.77695pt}{0ex}}{e}_{2},\phantom{\rule{2.77695pt}{0ex}}{f}_{1},\phantom{\rule{2.77695pt}{0ex}}{f}_{2}\right\}, and {Q}_{2}^{\prime}=\left\{{e}_{3},\phantom{\rule{2.77695pt}{0ex}}{e}_{4},\phantom{\rule{2.77695pt}{0ex}}{f}_{3},\phantom{\rule{2.77695pt}{0ex}}{f}_{4}\right\}, such that each set is an MIC set. As shown in Example 1, the policies in {Q}_{1}^{\prime} are inconsistent. It is easy to find that the policies in {Q}_{2}^{\prime} are inconsistent, too. Continuing from Example 2, assume that there exist another two policies e_{5} = ssod <p_{1}, p_{2}, p_{4}, p_{5}, p_{6}}, {u_{1}, u_{2}, u_{3}, u_{4}, u_{5}, u_{6}}, 3> and f_{5} = sa <{p_{1}, p_{2}, p_{3}, p_{4}, p_{5}, p_{6}}, {u_{1}, u_{2}, u_{4}, u_{6}}, 3>, then the whole policies in {e_{1}, e_{2}, e_{3}, e_{4}, e_{5}, f_{1}, f_{2}, f_{3}, f_{4}, f_{5}} is only one MIC set.
3.2. Measuring the safetyutility tradeoff
Given an MIC set for a policy inconsistency. Often, there may exist many choices for resolving this inconsistency. An interesting question for them is "which choice is optimal?". Our methodology helps policy administrators answer this question.
Algorithm 1. ComputeMIC (Q)
Input: Q = {e_{1}, ..., e_{
m
}, f_{1}, ..., f_{
n
} }
Output: the MIC sets of Q : S_{1}, ..., S_{
x
}
1: initialize S_{1} = ∅, i = 1, j = 1, k = 1;
2: while (i < mj < n) do
3: if\left(\left({P}_{{e}_{i}}\cap \phantom{\rule{2.77695pt}{0ex}}{P}_{{S}_{k}}\ne \varnothing \right)\wedge \left({U}_{{e}_{i}}\cap \phantom{\rule{2.77695pt}{0ex}}{U}_{{S}_{k}}\ne \varnothing \right)\right)then
4: S_{
k
} = S_{
k
} ∪ e_{
i
} ;
5: i + +;
6: else
7: k + +;
8: continue;
9: end if
10: k = 1;
11: if\left(\left({P}_{{f}_{j}}\cap \phantom{\rule{2.77695pt}{0ex}}{P}_{{S}_{k}}\ne \varnothing \right)\wedge \left({U}_{{f}_{j}}\cap \phantom{\rule{2.77695pt}{0ex}}{U}_{{S}_{k}}\ne \varnothing \right)\right)then
12: S_{
k
} = S_{
k
} ∪ f_{
j
} ;
13: j + +;
14: else
15: k++;
16: continue;
17: end if
18: k = 1;
19: end while;
20: MIC(Q) ← S_{1}, ..., S_{
x
} ;
21: for S_{
k
} ∈ MIC(Q) do
22: if\exists {S}_{t}\in MIC\left(Q\right)\left[\left({P}_{{S}_{t}}\cap \phantom{\rule{2.77695pt}{0ex}}{P}_{{S}_{k}}\ne \varnothing \right)\wedge \left({U}_{{S}_{t}}\cap \phantom{\rule{2.77695pt}{0ex}}{U}_{{S}_{k}}\ne \varnothing \right)\right]then
23: MIC(Q) = MIC(Q)  S_{
t
}  S_{
k
} ;
24: S_{
k
} = S_{
k
} ∪ S_{
t
} ;
25: MIC(Q) ← S_{
k
} ;
26: end if
27: end for
28: return MIC(Q).
Example 3. Let us consider the same policies as the one from Example 1. After removing some policies from Q, the rest of policies will be consistent with each other. For example, resolving the policy inconsistency has the following choices.

Removing only one policy:{e_{1}}, {f_{1}}, or {f_{2}}.

Removing two policies:{e_{1}, e_{2}}, {e_{1}, f_{1}}, {e_{1}, f_{2}}, {e_{2}, f_{1}}, {e_{2}, f_{2}}, or {f_{1}, f_{2}}.

Removing three policies:{e_{1}, e_{2}, f_{1}}, {e_{1}, e_{2}, f_{2}}, {e_{1}, f_{1}, f_{2}}, or {e_{2}, f_{1}, f_{2}}.
Currently we lack a method for measuring the safetyutility tradeoff in policy inconsistency resolving. Removing SSoD policies result in safety loss for the whole safety requirement in Q. Similarly, Removing SA policies result in utility loss for the whole utility requirement in Q. Hence before making the choice, one must ensure that the safety loss and utility loss are limited to an acceptable level. To use our method, one must choose a measure for safety loss (S_{
loss
} ) and utility loss (U_{
loss
} ).
Definition 7. Let e_{1}and e_{2}be two SSoD policies, we say that{S}_{loss}^{{e}_{1}}\ge {S}_{loss}^{{e}_{2}}if and only if e_{1} ≽ e_{2}. And{S}_{loss}^{{e}_{1}}>{S}_{loss}^{{e}_{2}}if and only if e_{1} ≻ e_{2}.
Where {S}_{loss}^{{e}_{1}} denotes the safety loss caused by removing e_{1}. As is intuitive, choosing to remove the policy with higher restrictive will cause more safety (or utility) loss.
Theorem 5. For any SSoD policies e_{1}= ssod <P_{1}, U_{1}, k_{1}> and e_{2}= ssod <P_{2}, U_{2}, k_{2}>, e_{1} ≻ e_{2}if and only if (U_{1} ⊇ U_{2}) ⋀ (k_{1}≥ k_{2} +  P_{1}  P_{2}).
PROOF. For the "if" part, given (U_{1} ⊇ U_{2}) ⋀ (k_{1}≥ k_{2} +  P_{1}  P_{2}), we show that \forall \epsilon \left(\neg sa{t}_{{e}_{2}}\left(\epsilon \right)\Rightarrow \neg sa{t}_{{e}_{1}}\left(\epsilon \right)\right). There are two cases for (U_{1} ⊇ U_{2}) ⋀ (k_{1}≥ k_{2} +  P_{1}  P_{2}): (1) P_{1} ⊆ P_{2}, (2) P_{1} ⊃ P_{2}. \neg sa{t}_{{e}_{2}}\left(\epsilon \right) being true means that there exist k_{2}1 users in U_{2} together having all the permissions in P_{2}. For case (1), there also exists k_{2}1 users in U_{1} together having all the permissions in P_{1} as (P_{1} ⊆ P_{2}) ⋀ (U_{1} ⊇ U_{2}), and (k_{1} ≥ k_{2} + P_{1}  P_{2}) ⇒ (k_{1} 1) ≥ (k_{2}  1). Therefore, there exists k_{1}1 users in U_{1} together having all the permissions in P_{1}, in other words, \neg sa{t}_{{e}_{1}}\left(\epsilon \right) is true. For case (2), there also exist k_{2}1 users in U_{1} together having all the permissions in P_{1} ∪ {P_{2}  P_{1}} as (U_{1} ⊇ U_{2}). At most P_{1}  P_{2} users together having all the permissions in {P_{2}  P_{1}}, and (k_{1} ≥ k_{2} +  P_{1}  P_{2}) ⇒ (k_{2}  1) ≤ (k_{1}  1)  P_{1}  P_{2}. Thus there exists k_{1}1 users in U_{1} together having all the permissions in P_{1}, sa{t}_{{e}_{1}}\left(\epsilon \right) is also false. Therefore, \forall \epsilon \left(\neg sa{t}_{{e}_{2}}\left(\epsilon \right)\Rightarrow \neg sa{t}_{{e}_{1}}\left(\epsilon \right)\right) is true.
For the "only if" part, given e_{1} ≽ e_{2}, we show that (U_{1} ⊇ U_{2}) ⋀ (k_{1} ≥ k_{2} + P_{1}  P_{2}) is true. Suppose, for the sake of contradiction, that ¬((U_{1} ⊇ U_{2}) ⋀ (k_{1} ≥ k_{2} + P_{1}  P_{2})) is true. In other words, both U_{1} ⊇ U_{2} and k_{1} ≥ k_{2} + P_{1}  P_{2} are false. Let e_{1} and e_{2} are two SSoD policies, where e_{1} = ssod <P_{1}, U_{1}, k_{1}>, e_{2} = ssod <P_{2}, U_{2}, k_{2}>. If U_{1} ⊇ U_{2} is false, then ∃u ∈ U_{2}/U_{1}. Assuming that sa{t}_{{e}_{1}}\left(\epsilon \right) is true, assign all the permissions in P_{2} to u, and then sa{t}_{{e}_{2}}\left(\epsilon \right) is false as k_{2}> 1. Therefore, U_{1} ⊇ U_{2} is true. If k_{1} ≥ k_{2} + P_{1}  P_{2} is false, then k_{1}< k_{2} + P_{1}  P_{2}. If P_{1} ⊆ P_{2}, then k_{1}< k_{2} ⇒ k_{1} ≤ k_{2}  1. sa{t}_{{e}_{1}}\left(\epsilon \right) being true means that at least k_{1} users in U_{1} together having all the permissions in P_{1}. We assume that there exist k_{1} users in U_{1} together having all the permissions in P_{1} in ε; then there exist k_{2}1 users in U_{2} together having all the permissions in P_{2} as to ε (let U_{1} = U_{2}, and these k_{1} users also have all the permissions in {P_{2}  P_{1}}), then sa{t}_{{e}_{2}}\left(\epsilon \right) is false. If P_{1} ⊃ P_{2}, let k_{1}< k_{2} + P_{1}  P_{2}; given an access control state ε that sa{t}_{{e}_{1}}\left(\epsilon \right) is true, for each permission in {P_{2}  P_{1}}, assign it to P_{1}  P_{2} different users, and these users are not assigned any other permissions in P_{1}, and then k_{1}P_{1}  P_{2} users together having all the permissions in P_{1}. Therefore, there exist less than k_{2} users in U_{2} together having all the permissions in P_{2} (let U_{1} = U_{2}), and therefore, sa{t}_{{e}_{2}}\left(\epsilon \right) is false. This contradicts the assumption that e_{1} ≽ e_{2}. Therefore, if e_{1} ≽ e_{2}, then (U_{1} ⊇ U_{2}) ⋀ (k_{1} ≥ k_{2} + P_{1}  P_{2}). □
Definition 8. Let f_{1}and f_{2}be two SA policies, we say that{U}_{loss}^{{f}_{1}}\ge {U}_{loss}^{{f}_{2}}if and only if f_{1} ≽ f_{2}. And{U}_{loss}^{{f}_{1}}>{U}_{loss}^{{f}_{2}}if and only if f_{1} ≻ f_{2}.
Theorem 6. For any SA policies f_{1}= sa <P_{1}, U_{1}, t_{1}> and f_{2}= sa <P_{2}, U_{2}, t_{2}>, f_{1} ≽ f_{2}if and only if (P_{1} ⊇ P_{2}) ⋀ (U_{1} ⊇ U_{2}) ⋀ (t_{1} ≤ t_{2}).
PROOF. For the "if" part, given (P_{1} ⊇ P_{2}) ⋀ (U_{1} ⊇ U_{2}) ⋀ (t_{1} ≤ t_{2}), we show that \forall \epsilon \left(sa{t}_{{f}_{1}}\left(\epsilon \right)\Rightarrow sa{t}_{{f}_{2}}\left(\epsilon \right)\right) is true. sa{t}_{{f}_{1}}\left(\epsilon \right) being true means that any sizet_{1} user set {U}_{1}^{\prime} from U_{1} together having all the permissions in P_{1}. Since (P_{1} ⊇ P_{2}) ⋀ (U_{1} ⊇ U_{2}) ⋀ (t_{1} ≤ t_{2}), for each {U}_{1}^{\prime}\subseteq {U}_{2}\subseteq {U}_{1},\phantom{\rule{2.77695pt}{0ex}}{\bigcup}_{u\in {U}_{1}^{\prime}}aut{h}_{}{p}_{\epsilon}\left(u\right)\supseteq {P}_{1}\supseteq {P}_{2}, and \left{U}_{1}^{\prime}\right\phantom{\rule{2.77695pt}{0ex}}={t}_{1}\le {t}_{2}. Therefore, sa{t}_{{f}_{2}}\left(\epsilon \right) is also true.
For the "only if" part, given f_{1} ≽ f_{2}, we show that (P_{1} ⊇ P_{2}) ⋀ (U_{1} ⊇ U_{2}) ⋀ (t_{1} ≤ t_{2}) is true. Suppose, for the sake of contradiction, that ¬( P_{1} ⊇ P_{2}) ⋀ (U_{1} ⊇ U_{2}) ⋀ (t_{1} ≤ t_{2}) is true, thus (P_{1} ⊂ P_{2}) ⋁ (U_{1} ⊂ U_{2}) ⋁ (t_{1}> t_{2}) is true, then ∃P ∈ P_{2}/P_{1}. Assuming that there exists an access control state ε, and sa{t}_{{f}_{1}}\left(\epsilon \right) is true. Let P be not assigned to any user in U_{2}, that does not affect sa{t}_{{f}_{1}}\left(\epsilon \right). But sa{t}_{{f}_{2}}\left(\epsilon \right) is false, as no sizet_{2} user set from U_{2} can together cover P_{2}. Thus the assumption is false, and P_{1} ⊇ P_{2} is true.
If U_{1} ⊂ U_{2} is true, then ∃u ∈ U_{2}/ U_{1}. We now can construct a state ε that makes sa{t}_{{f}_{2}}\left(\epsilon \right) true, but sa{t}_{{f}_{1}}\left(\epsilon \right) false. By Theorem 1, sat_{
f
} (ε) being true means that each sizet user sets from U cover the permission set P. The above discussion shown that P_{1} ⊇ P_{2} is true, and let t_{1} = t_{2}. As U_{2} + 1  t_{2}> U_{1} + 1  t_{1}, sa{t}_{{f}_{1}}\left(\epsilon \right) is true, which contradicts the assumption, and thus U_{1} ⊇ U_{2} is true.
If t_{1}> t_{2} is true, let {f}_{1}^{\prime}=sa\u27e8{P}_{2},\phantom{\rule{2.77695pt}{0ex}}{U}_{2},\phantom{\rule{2.77695pt}{0ex}}{t}_{1}\u27e9. As shown above, {f}_{1}\succcurlyeq {f}_{1}^{\prime}, such as for any state ε that \neg sa{t}_{{f}_{1}^{\prime}}\left(\epsilon \right)\Rightarrow \neg sa{t}_{{f}_{1}}\left(\epsilon \right). Thus we only need to construct a state ε that sa{t}_{{f}_{2}}\left(\epsilon \right)is true, but sa{t}_{{f}_{1}^{\prime}}\left(\epsilon \right) is false as follows. Find a sizet_{1} user set U' ⊂ U_{2}, and partition P_{2} into t_{1} disjoint sets {v}_{1},\phantom{\rule{2.77695pt}{0ex}}\dots ,\phantom{\rule{2.77695pt}{0ex}}{v}_{{t}_{1}}, such that the permissions in each set be assigned to each user in U', respectively. Without any one user in U' can not cover P_{2}. Since t_{1}> t_{2}, we can find a sizet_{2} user set U'' ⊂ U' that the users in U'' do not together have all the permissions in P_{2}. In other words, sa{t}_{{f}_{1}^{\prime}}\left(\epsilon \right) is false, and sa{t}_{{f}_{1}}\left(\epsilon \right) is also false. This contradicts the assumption, and thus t_{1} ≤ t_{2} is true. Consequently, if f_{1} ≽ f_{2}, then (P_{1} ⊇ P_{2}) ⋀ (U_{1} ⊇ U_{2}) ⋀ (t_{1} ≤ t_{2}). □
After computing the rank of S_{
loss
} for each SSoD policy and U_{
loss
} for each SA policy. A fundamental problem in inconsistency resolving is how to make the right tradeoff between safety and utility. However, it is inappropriate to directly compare safety with utility. The most important reason is that removing SSoD policies will increase the safety loss for the whole policies, but will not increase the utility gain. Similarly, removing SA policies will increase the utility loss for the whole policies, but will not increase the safety gain. For example, if we choose to remove {e_{1}, e_{2}} in Example 5, then S_{
loss
} = 100%, U_{
loss
} = 0%. And if we choose to remove {f_{1}, f_{2}}, then S_{
loss
} = 0%, U_{
loss
} = 100%.
If safety and utility cannot be directly compared, how should one consider them in a policy set for inconsistency resolution? For this, given a number of policy sets that are candidates for removing, for each of which we measure its safety loss S_{
loss
} and its utility loss U_{
loss
} . We can obtain a set of (S_{
loss
}, U_{
loss
} ) pairs, one for each set. An ideal (but unachievable) choice will have the smallest S_{
loss
} and U_{
loss
} . For this, we need to be able to compare two different (S_{
loss
}, U_{
loss
} ) pairs.
Definition 9. Given two pairs (S_{
loss
}, U_{
loss
} )_{1}, and (S_{
loss
}, U_{
loss
} )_{2}, we define (S_{
loss
}, U_{
loss
} )_{1} ≤ (S_{
loss
}, U_{
loss
} )_{2}if and only if\left({S}_{loss}^{1}\le {S}_{loss}^{2}\right)\wedge \left({U}_{loss}^{1}\le {U}_{loss}^{2}\right). And (S_{
loss
}, U_{
loss
} )_{1} < (S_{
loss
}, U_{
loss
} )_{2}if and only if\left({S}_{loss}^{1}<{S}_{loss}^{2}\right)\wedge \left({U}_{loss}^{1}<{U}_{loss}^{2}\right).
Definition 10. Let A and B be two policy sets; removing A will caused (S_{
loss
}, U_{
loss
} ) _{
A
}, and removing B will caused (S_{
loss
}, U_{
loss
} ) _{
B
}. We say that the choice of removing A is at least as optimal as removing B (denoted by (S_{
loss
}, U_{
loss
} )_{
A
}⊵ (S_{
loss
}, U_{
loss
} )_{
B
}) if (S_{
loss
}, U_{
loss
} )_{
A
}≤ (S_{
loss
}, U_{
loss
} ) _{
B
}. And the the choice of removing A is better than removing B (denoted by (S_{
loss
}, U_{
loss
} )_{
A
}⊳ (S_{
loss
}, U_{
loss
} )_{
B
}) if (S_{
loss
}, U_{
loss
} ) _{
A
} < (S_{
loss
}, U_{
loss
} )_{
B
}.
Example 4. Let us consider the following policy sets from Example 3 that can be removed to resolve the policy inconsistency. S_{1} = {e_{1}}, S_{2} = {f_{1}}, S_{3} = {e_{1}, e_{2}}, S_{4} = {f_{1}, f_{2}}, S_{5} = {e_{1}, e_{2}, f_{1}}.
Obviously, {\left({S}_{loss},\phantom{\rule{2.77695pt}{0ex}}{U}_{loss}\right)}_{{S}_{1}}<{\left({S}_{loss},\phantom{\rule{2.77695pt}{0ex}}{U}_{loss}\right)}_{{S}_{3}}<{\left({S}_{loss},\phantom{\rule{2.77695pt}{0ex}}{U}_{loss}\right)}_{{S}_{5}}, and {\left({S}_{loss},\phantom{\rule{2.77695pt}{0ex}}{U}_{loss}\right)}_{{S}_{2}}<{\left({S}_{loss},\phantom{\rule{2.77695pt}{0ex}}{U}_{loss}\right)}_{{S}_{4}}<{\left({S}_{loss},\phantom{\rule{2.77695pt}{0ex}}{U}_{loss}\right)}_{{S}_{5}}. Thus S_{1} and S_{2} are two ideal choices to resolve the policy inconsistency.
3.3. Prioritizedbased resolution
The notion of priority is very important in the study of knowledge based systems, since inconsistencies have a better chance to be resolved. The following subsections present two prioritizedbased approaches to deal with policy inconsistencies. We first present the possibilistic logic approach, which selects one consistent subbase. And we then give the lexicographical inference approach, which selects several maximally consistent subbases [7]. We assume that knowledge bases Ψ are prioritized. Prioritized knowledge bases have the form Ψ = Ψ ^{E} ∪ Ψ ^{F} , where {\Psi}^{E}={S}_{1}^{E}\mathsf{\text{U}}\cdots \mathsf{\text{U}}{S}_{m}^{E}, {\Psi}^{F}={S}_{1}^{F}\mathsf{\text{U}}\cdots \mathsf{\text{U}}{S}_{n}^{F}, E and F denote all the SSoD and SA policies in the system, respectively. Formulas in {S}_{i}^{E}(or {S}_{i}^{F}) have the same level of priority and have higher priority than the ones in {S}_{j}^{E}(or {S}_{j}^{F}) where j > i. {S}_{1}^{E} (or {S}_{1}^{F}) contains the one which have the highest priority in Ψ, and {S}_{m}^{E}(or {S}_{n}^{F}) contains the one which have the lowest priority in Ψ.
3.3.1. Possibilistic logic approach
Possibilistic logic approach selects one suitable consistent prioritized subbase of Ψ, whereas the other policies in complement set for the subbase of Ψ
Algorithm 2. GeneratePoss(Ψ)
Input: knowledge bases Ψ = Ψ ^{E} ∪ Ψ ^{F}
Output: Poss(Ψ)
1: initializePoss\left(\Psi \right)={S}_{1}^{E}\cup {S}_{1}^{F}, i = 1, j = 1;
2: while (i ≤ m&&j ≤ n) do
3: if Poss(Ψ) is inconsistent then
4: Poss\left(\Psi \right)=Poss\left(\Psi \right){S}_{i}^{E}{S}_{j}^{F};
5: ifPoss\left(\Psi \right)\cup {S}_{i}^{E} is consistent then
6: Poss\left(\Psi \right)=Poss\left(\Psi \right)\cup {S}_{i}^{E};
7: i++;
8: else
9: fore\in {S}_{i}^{E}do
10: if Poss(Ψ) ∪ p is consistent then
11: Poss(Ψ) = Poss(Ψ) ∪ p;
12: end if
13: end for
14: end if
15: ifPoss\left(\Psi \right)\cup {S}_{i}^{E} is consistent then
16: Poss\left(\Psi \right)=Poss\left(\Psi \right)\cup {S}_{j}^{F};
17: j + +;
18: else
19: forf\in {S}_{j}^{F}do
20: if Poss(Ψ) ∪ f is consistent then
21: Poss(Ψ) = Poss(Ψ) ∪ f;
22: end if
23: end for
24: end if
25: else
26: i++;
27: j ++;
28: Poss\left(\Psi \right)=Poss\left(\Psi \right)\cup {S}_{i}^{E}\cup {S}_{j}^{F};
29: end if
30: end while;
31: return Poss(Ψ).
should be removed. We should extract a subbase φ(Ψ) from Ψ, which is made of the first ximportant and consistent strata(levels): φ(Ψ) = S_{1} ∪ ⋯ ∪ S_{
x
} , such that S_{1} ∪ ⋯ ∪ S_{
x
} is consistent, but S_{1} ∪ ⋯ ∪ S_{x+1} is inconsistent.
Definition 11. We define Poss(Ψ) as the set of the preferred consistent possibilistic subbase of Ψ : Poss(Ψ) = {A: A ⊆ Ψ is consistent and ∄B ⊆ Ψ is consistent where B ⊃ A}.
We now give an algorithm to compute the Poss(Ψ) for Ψ (shown in Algorithm 2). This algorithm iteratively adds the SSoD and SA policies with higher priority. Removal of the policies not in Poss(Ψ) is essential to satisfy the consistency for the other policies in Ψ. This algorithm has a bestcase time complexity of O(mn), and a worstcase time complexity of O(mnM 2 ^{N} ), wherem is the number of SSoD policies, n is the number of SA policies, M is the number of users, and N is the number of permissions.
Example 5. Consider the combination of following SSoD and SA policies.
\begin{array}{c}Q=\left\{{e}_{1},\phantom{\rule{2.77695pt}{0ex}}{e}_{2},\phantom{\rule{2.77695pt}{0ex}}{f}_{1},\phantom{\rule{2.77695pt}{0ex}}{f}_{2},\phantom{\rule{2.77695pt}{0ex}}{f}_{3}\right\}\\ \phantom{\rule{1em}{0ex}}{e}_{1}=ssod\u27e8\left\{{p}_{1},{p}_{2},{p}_{3}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{1},\phantom{\rule{2.77695pt}{0ex}}{u}_{2},\phantom{\rule{2.77695pt}{0ex}}{u}_{3}\right\},\phantom{\rule{2.77695pt}{0ex}}2\u27e9\\ \phantom{\rule{1em}{0ex}}{e}_{2}=ssod\u27e8\left\{{p}_{1},{p}_{2}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{1},\phantom{\rule{2.77695pt}{0ex}}{u}_{2}\right\},\phantom{\rule{2.77695pt}{0ex}}2\u27e9\\ \phantom{\rule{1em}{0ex}}{f}_{1}=sa\u27e8\left\{{p}_{1},\phantom{\rule{2.77695pt}{0ex}}{p}_{2},\phantom{\rule{2.77695pt}{0ex}}{p}_{3},\phantom{\rule{2.77695pt}{0ex}}{p}_{4}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{1},\phantom{\rule{2.77695pt}{0ex}}{u}_{2},\phantom{\rule{2.77695pt}{0ex}}{u}_{3},\phantom{\rule{2.77695pt}{0ex}}{u}_{4}\right\},\phantom{\rule{2.77695pt}{0ex}}3\u27e9\\ \phantom{\rule{1em}{0ex}}{f}_{2}=sa\u27e8\left\{{p}_{1},\phantom{\rule{2.77695pt}{0ex}}{p}_{2},\phantom{\rule{2.77695pt}{0ex}}{p}_{3}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{1},\phantom{\rule{2.77695pt}{0ex}}{u}_{2},\phantom{\rule{2.77695pt}{0ex}}{u}_{3}\right\},\phantom{\rule{2.77695pt}{0ex}}3\u27e9\\ \phantom{\rule{1em}{0ex}}{f}_{3}=sa\u27e8\left\{{p}_{1},\phantom{\rule{2.77695pt}{0ex}}{p}_{2}\right\},\phantom{\rule{2.77695pt}{0ex}}\left\{{u}_{1},\phantom{\rule{2.77695pt}{0ex}}{u}_{2}\right\},\phantom{\rule{2.77695pt}{0ex}}1\u27e9\end{array}
By Theorems 5 and 6, we can find that e_{1} ≻ e_{2}, f_{1} ≻ f_{2}. Thus Ψ = Ψ ^{E} ∪ Ψ ^{F} , where {\Psi}^{E}={S}_{1}^{E}\cup {S}_{2}^{E}, {\Psi}^{F}={S}_{1}^{F}\cup {S}_{2}^{F}, {S}_{1}^{E}=\left\{{e}_{1}\right\}, {S}_{2}^{E}=\left\{{e}_{2}\right\}, {S}_{1}^{F}=\left\{{f}_{1}\right\}, {S}_{2}^{F}=\left\{{f}_{2},\phantom{\rule{2.77695pt}{0ex}}{f}_{3}\right\}. By Algorithm 2, Poss\left(\Psi \right)={S}_{1}^{E}\cup {S}_{1}^{F}\cup {S}_{2}^{E}\cup \left\{{f}_{2}\right\}=\left\{{e}_{1},\phantom{\rule{2.77695pt}{0ex}}{e}_{2},\phantom{\rule{2.77695pt}{0ex}}{f}_{1},\phantom{\rule{2.77695pt}{0ex}}{f}_{2}\right\}. Therefore, the removal of f_{3} is an optimal choice to resolve the policy inconsistency.
3.3.2. Lexicographical inference approach
The possibilistic way of dealing with inconsistency is not entirely satisfactory since it only considers the first ximportant consistent formulas having the highest priority. However, the less certain formulas may be not responsible for inconsistencies that should also be taken into account. The idea of lexicographical inference approach is to select not only one consistent subbase but several maximally consistent subbases. Obviously, the lexicographical inference is more expensive than the possibilistic logic.
Definition 12. A consistent subbase A ⊆ Ψ is said to be lexicographically preferred to a consistent subbase B ⊆ Ψ, denoted by A ⊳ _{
lex
} B, if there exists a level i(1 ≤ i ≤ m) and j(1 ≤ j ≤ n) such that:
\begin{array}{c}(A\cap \phantom{\rule{0.1em}{0ex}}{S}_{i}^{E}\phantom{\rule{0.1em}{0ex}}>\phantom{\rule{0.1em}{0ex}}B\cap \phantom{\rule{0.1em}{0ex}}{S}_{i}^{E})\wedge (\forall x\in [1,\phantom{\rule{0.1em}{0ex}}i),\phantom{\rule{0.1em}{0ex}}A\cap \phantom{\rule{0.1em}{0ex}}{S}_{x}^{E}\phantom{\rule{0.1em}{0ex}}=\phantom{\rule{0.1em}{0ex}}B\cap \phantom{\rule{0.1em}{0ex}}{S}_{x}^{E})\wedge (A\cap {S}_{j}^{E}\phantom{\rule{0.1em}{0ex}}>\\ B\cap \phantom{\rule{0.1em}{0ex}}{S}_{j}^{E})\wedge (\forall x\in [1,\phantom{\rule{0.1em}{0ex}}j),\phantom{\rule{0.1em}{0ex}}A\cap \phantom{\rule{0.1em}{0ex}}{S}_{y}^{E}\phantom{\rule{0.1em}{0ex}}=\phantom{\rule{0.1em}{0ex}}B\cap \phantom{\rule{0.1em}{0ex}}{S}_{y}^{E}.\end{array}
Definition 13. We define Lex(Ψ) as the set of all preferred consistent lexicographical subbases of Ψ : Lex(Ψ) = {A: A ⊆ Ψ is consistent and ∄B ⊆ Ψ is consistent, B ⊳ _{
lex
} A}.
We now give an algorithm to generate Lex(Ψ) that covers all preferred consistent possibilistic subbases of Ψ. The algorithm is similar to Algorithm 2, but we add following improvements as follows. Given the knowledge bases Ψ = Ψ ^{E} ∪ Ψ ^{F} : if Poss\left(\Psi \right)\cup {S}_{i}^{E} or Poss\left(\Psi \right)\cup {S}_{j}^{F} is inconsistent, the algorithm does not stop (While in Algorithm 2, any policies in {S}_{k}^{E}, {S}_{l}^{F} will not be considered, where k > i, l > j), by repeatedly adding policies in {S}_{k}^{E} and {S}_{l}^{F} to Poss(Ψ). In the enumeration approach, the algorithm tries all possibilities. Eventually, the algorithm outputs all preferred consistent possibilistic subbases of Ψ, such as Lex(Ψ). In Example 4. There exists two lexicographically consistent subbases that A = {e_{1}, e_{2}, f_{1}, f_{2}}, B = {e_{1}, f_{1}, f_{2}, f_{3}}, then Lex(Ψ) = {A, B}.