The FACPL language is at the basis of a user-friendly, feasible and effective approach for the specification, analysis and enforcement of policy-based computer systems. FACPL permits expressing high-level policies regulating various computer systems’ aspects, e.g. access control, resource usage and adaptation. The FACPL denotational semantics provides a full formal account of the security model.
FACPL specifications are hierarchically structured in terms of FACPL elements, i.e., rules and policy sets. These elements specify a name, the effect of a positive evaluation (i.e. permit or deny), targets for applicability, the algorithm for combining the results of the evaluation of the contained elements, and a set of obligations, i.e. supplemental actions as e.g. updating a log file, sending a message, setting an attribute.
The evaluation of a request with respect to a FACPL element triggers the processing of the element. If the element’s target does not match the request, the element does not apply. Otherwise, in case of policy sets, the processing proceeds by recurring on the enclosed elements and composing their resulting decisions through the specified combining algorithm; in case of rules, the processing goes on by returning the rule’s effect as a decision. The final decision is then established on the basis of the result of obligations discharging.