The Unified Policy Framework (UPF)

Achim D. Brucker 📧, Lukas Brügger 📧 and Burkhart Wolff 📧

November 28, 2014

This is a development version of this entry. It might change over time and is not stable. Please refer to release versions for citations.


We present the Unified Policy Framework (UPF), a generic framework for modelling security (access-control) policies. UPF emphasizes the view that a policy is a policy decision function that grants or denies access to resources, permissions, etc. In other words, instead of modelling the relations of permitted or prohibited requests directly, we model the concrete function that implements the policy decision point in a system. In more detail, UPF is based on the following four principles: 1) Functional representation of policies, 2) No conflicts are possible, 3) Three-valued decision type (allow, deny, undefined), 4) Output type not containing the decision only.


BSD License


Session UPF