In this chapter, we describe an authorization policy validation framework. Authorization (or access control) policies, just like device policies and privacy policies, are an important class of policies for safeguarding enterprise resources. Specifically, authorization policies provide confidentiality and integrity of enterprise IT resources by placing restrictions on reading and modification of these resources. Hence it is imperative that there should be a policy validation framework in PCCP (policy checking/certification and compliance point for validation of authorization policies.

Enterprise authorization specifications specify the access rights of various users or roles to enterprise resources and are used by a module of IT systems to enforce access restrictions during the operation of these systems. This module is called the access control mechanism. Hence the first point of trust in the overall access control mechanism is the underlying data it uses (i.e., enterprise authorization specification). The enterprise authorization specification in turn should reflect the intent of authorization policies. Hence it is necessary to validate the enterprise authorization specification for conformance to authorization policies. We will call a methodology or approach to accomplish this as the authorization policy validation framework.