Detection of Conflicts Between Resource Authorization Rules in Extensible Access Control Markup Language Based on Dynamic Description Logic

As a description standard for RARs, the XACML [1] was formulated by Organization of the Advancement of Structured Information Standard (OASIS) to promote the consistency of ACR descriptions on the network layer. With a fine-grained description method for attribute authorization and an easily expandable form of rule description, the XACML offers a suitable tool to describe the access control and authorization of distributed resources.

In recent years, the XACML has been frequently adopted for logic description and reasoning of ACRs in distributed environments. Facing the heterogeneous Internet of things (IoT), Atlam et al. [2] depicted the ACRs of lightweight IoT devices with the XACML, and designed a distributed and flexible cross-domain resource access control method. Based on the grammar rules of the XACML, the designed method expands the application scope and enhances the fault tolerance and authorization validation of the original model. Focusing on cloud service application scenarios in health services, Ayache et al. [3] developed an XACML-based cloud service for verifying ACRs, which realizes data sharing, task invocation and activity coordination across service domains. Kanwal et al. [4] tackled the security of data release and sharing of electronic medical records in a hybrid cloud environment, made fine-grained XACML description of resource ACRs in that environment, and thereby improved the capabilities of the ACRs in privacy protection and access control. For safe access to IoT devices in distributed network, Charaf et al. [5] proposed an XACML-based access control method for terminal devices, which is reliable, available and confidential.

Damiano et al. [6] applied blockchain technology to describe ACRs and establish a decentralized trust verification mechanism for cross-domain resources. Specifically, the security performance of resource attributes was subject to fine-grained description, and the attributes and rules were linked to the blockchain in the form of smart contract. The proposed mechanism was validated in the Ethereum environment. Based on the blockchain technology, Ma et al. [7] created a distributed key management architecture for the hierarchical access control of the IoT. The architecture satisfies the demand for access control of cross-domain cloud services, supports decentralized and fine-grained verification of attributes, and integrates privacy protection into the ACRs. Zyskind and Nathan [8] combined blockchain technology and off-chain storage into a data management platform for privacy protection. In the platform, the access control process mainly focuses data reading, failing to form a complete access control system. Sukhodolskiy and Zapechnikov [9] put forward an access control method for data storage in a cloud environment. Wang et al. [10] realized data storage and sharing without the participation of providers, using Ethereum and an attribute-based access control method. Furthermore, many other researchers have studied the access control strategy described by XACML about Policies formalization [11], Automatic Testing [12], Model testing [13], policy tracing [14], automated fault localization [15].

The above studies mainly explored the access control mechanism of cross-domain resources in different application environments, and developed some mitigation methods for rule conflicts based on the XACML. Most of these methods mitigate the impact of rule conflicts on the authorization process from the perspective of authorization results. However, the nature of the mitigation has not been analyzed from the angles of rule description and attribute structure, weakening the ability of reasoning and verification. The XACML-based rule combination algorithms neglect the attributes and the underlying causes leading to rule conflicts, and overlook the influence of rule correlations and attribute hierarchy on the rule conflicts. To make up for the gaps, the rule conflicts should be detected and mitigated before judging the authorization, using the reasoning ability of dynamic description logic (DDL). In this way, the security management personnel in the domain can discover rule conflicts in time, find the reasons of conflicts, and simplify the relevant rules.

2.jpg

Figure 2. The hierarchy of RAR conflicts

4.1 Types of rule conflicts

The rule authorization effect depends on whether the subject is permitted to access or denied from accessing the requested resource. For the attributes of the subject, rule conflicts may arise from the CIRs in concepts and instances; for the attributes of the resource, rule conflicts may arise from the CIRs. The potential rule conflicts are classified as Figure 2, where AS is subject attribute, AO is resource attribute, hollow arrow is the implication and inheritance between attribute concepts, the plus sign is permit, and the minus sign is denied.

For subject attributes, the lower attributes inherit the rights of the upper attributes. For resource attributes, the lower attributes are the fine-grained expression of the upper attributes. As shown in Figure 2, the RARs were divided into eight types (a)-(h) according to the CIRs of subjects and resources, the granularity of resource attributes, and the requirements on permit and deny. The difference between RAR types comes from the hierarchy of conceptual knowledge. The following analyzes the possible rule conflicts in each type of RARs. Note that Rule1 and Rule2 are denoted as action sub-models $\mathcal{M}_{A c t_{1}}$ and $\mathcal{M}_{A c t_{2}}$, respectively.

(a) $\mathcal{M}_{A c t_{1}} \vDash A S \rightarrow_{\alpha^{+}}^{\gamma} A O_{1}, \mathcal{M}_{A C t_{2}} \vDash A S \rightarrow_{\alpha^{-}}^{\gamma} A O_{2}$

$\left\{\begin{array}{c}\mathcal{M}_{A c t_{1}} \neq \mathcal{M}_{A c t_{1}}^{\prime}=A S \rightarrow_{\alpha^{+}}^{\gamma} A O_{2} \\ \mathcal{M}_{A c t_{2}} \vDash A S \rightarrow_{\alpha^{-}}^{\gamma} A O_{2}\end{array}\right\} \nRightarrow$ conflict $_{M_{A c t_{1}}}^{\mathcal{M}_{A c t_{2}}}$

In Figure 2, (a) and (b) describe the authorization of hierarchical resources to the same subject. AS means the permit for coarse-grained attribute AO₁. The permit cannot be inherited by the fine-grained attribute AO₂, that is, there exists no interpretation of action sub-model $\mathcal{M}_{A c t_{1}}^{\prime}$ that meets the permit for AO₂. Therefore, the two RAR actions will not have any conflict.

(b) $\mathcal{M}_{A c t_{1}} \vDash A S \rightarrow_{\alpha^{-}}^{\gamma} A O_{1}, \mathcal{M}_{A c t_{2}} \vDash A S \rightarrow_{\alpha^{+}}^{\gamma} A O_{2}$

$\left\{\begin{array}{c}\mathcal{M}_{A c t_{1}} \Rightarrow \mathcal{M}_{A c t_{1}}^{\prime} \vDash A S \rightarrow_{\alpha^{-}}^{\gamma} A O_{2} \\ \mathcal{M}_{A c t_{2}} \vDash A S \rightarrow_{\alpha^{+}}^{\gamma} A O_{2}\end{array}\right\} \Rightarrow$ Conflict $_{M_{A C t_{1}}}^{M_{A c t_{2}}}$

If the access to coarse-grained resource attributes is denied, the deny will be inherited by the lower fine-grained resource attributes, that is, there exists an interpretation of action sub-model $\mathcal{M}_{A c t_{1}}^{\prime}$ to meet the deny of fine-grained attribute AO₂. In this case, the RARs will conflict each other.

(c) $\mathcal{M}_{A c t_{1}} \vDash A S_{1} \rightarrow_{\alpha^{+}}^{\gamma} A O, \mathcal{M}_{A c t_{2}} \vDash A S_{2} \rightarrow_{\alpha^{-}}^{\gamma} A O$

$\left\{\begin{array}{c}\mathcal{M}_{A c t_{1}} \Rightarrow \mathcal{M}_{A c t_{1}}^{\prime}=A S_{2} \rightarrow_{\alpha^{+}}^{\gamma} A O \\ \mathcal{M}_{A c t_{2}} \vDash A S_{2} \rightarrow_{\alpha^{-}}^{\gamma} A O\end{array}\right\} \Rightarrow$Conflict$_{\mathcal{M}_{A c t_{1}}}^{\mathcal{M}_{A c t_{2}}}$

(c) and (d) are the resource authorization of subject attributes with CIRs. In the case of (c), the permit of AS₁ for AO can be transferred to its sub-attribute AS₂, such that there exists an interpretation of action sub-model $\mathcal{M}_{A c t_{1}}^{\prime}$ that permits AS₂ to access AO. This conflicts with the deny of the other rule $\mathcal{M}_{A c t_{2}}$.

(d) $\mathcal{M}_{A c t_{1}} \vDash A S_{1} \rightarrow_{\alpha^{-}}^{\gamma} A O, \mathcal{M}_{A c t_{2}} \vDash A S_{2} \rightarrow_{\alpha^{+}}^{\gamma} A O$

$\left\{\begin{array}{c}\mathcal{M}_{A c t_{1}} \Rightarrow \mathcal{M}_{A c t_{1}}^{\prime} \vDash A S_{2} \rightarrow_{\alpha^{-}}^{\gamma} A O \\ \mathcal{M}_{A c t_{2}} \vDash A S_{2} \rightarrow_{\alpha^{+}}^{\gamma} A O\end{array}\right\} \Rightarrow$Conflict$_{\mathcal{M}_{A c t_{1}}}^{\mathcal{M}_{A c t_{2}}}$

Both (c) and (d) are resulted from the authorization inheritance of subject and resource attributes. In the case of (d), the deny of AS₁ for AO leads to the deny of AS₂ for AO, that is, there exists an interpretation of action sub-model $\mathcal{M}_{A c t_{1}}^{\prime}$ that denies AS₂ from accessing AO. This conflicts with the permit of the other rule $\mathcal{M}_{A c t_{2}}$.

(e) $\mathcal{M}_{A c t_{1}} \vDash A S_{1} \rightarrow_{\alpha^{-}}^{\gamma} A O_{2}, \mathcal{M}_{A c t_{2}} \vDash A S_{2} \rightarrow_{\alpha^{+}}^{\gamma} A O_{1}$

$\left\{\begin{array}{l}\mathcal{M}_{A c t_{1}} \Rightarrow \mathcal{M}_{A c t_{1}}^{\prime} \vDash A S_{2} \rightarrow_{\alpha^{-}}^{\gamma} A O_{2} \\ \mathcal{M}_{A c t_{2}} \neq \mathcal{M}_{A c t_{2}}^{\prime}\vDash A S_{2} \rightarrow_{\alpha^{+}}^{\gamma} A O_{2}\end{array}\right\} \Rightarrow$Conflict$_{\mathcal{M}_{A c t_{1}}}^{\mathcal{M}_{A c t_{2}}}$

(a)-(d) are four basic RARs of atomic level attributes. Considering more complex situations, (e) describes the cross-authorization of hierarchical subjects and resources. The subject attributes can inherit the authorization effect of the upper attributes according to the CIRs. Hence, there exists an $\mathcal{M}_{A c t_{1}}^{\prime}$ that denies AS₂ from accessing AO₂. Since the permit for a coarse-grained resource attribute cannot be inherited by lower fine-grained attribute, there is no $\mathcal{M}_{A c t_{2}}^{\prime}$ that describes the permit for AO₂. In this case, the two rules will not have any conflict.

$(\mathrm{f}) \mathcal{M}_{A c t_{1}} \vDash A S_{1} \rightarrow_{\alpha^{+}}^{\gamma} A O_{2}, \mathcal{M}_{A c t_{2}} \vDash A S_{2} \rightarrow_{\alpha^{-}}^{\gamma} A O_{1}$

$\left\{\begin{array}{l}\mathcal{M}_{A c t_{1}} \Rightarrow \mathcal{M}_{A c t_{1}}^{\prime}=A S_{2} \rightarrow_{\alpha^{+}}^{\gamma} A O_{2} \\ \mathcal{M}_{A c t_{2}} \Rightarrow \mathcal{M}_{A c t_{2}}^{\prime}=A S_{2} \rightarrow_{\alpha^{-}}^{\gamma} A O_{2}\end{array}\right\} \Rightarrow$Conflict$_{\mathcal{M}_{A c t_{1}}}^{M_{A c t_{2}}}$

The cross-authorization of (f) is opposite to the effect of (e). In this case, the CIR of each subject attribute make it possible to transfer permit to sub-attribute AS₂. Hence, there exists an $\mathcal{M}_{A c t_{1}}^{\prime}$ that allows AS₂ to access AO₂. Meanwhile, the deny for coarse-grained resource attribute AO₁ can be inherited by lower fine-grained attribute AO₂. Thus, there exists an $\mathcal{M}_{A c t_{2}}^{\prime}$ that denies AS₂ from accessing AO₂. As a result, the two rules will have conflict.

$(\mathrm{g}) \mathcal{M}_{A c t_{1}} \vDash A S_{1} \rightarrow_{\alpha^{+}}^{\gamma} A O_{1}, \mathcal{M}_{A c t_{2}} \vDash A S_{2} \rightarrow_{\alpha^{-}}^{\gamma} A O_{2}$

$\left\{\begin{array}{c}\mathcal{M}_{A c t_{1}} \Rightarrow \mathcal{M}_{A c t_{1}}^{\prime} \vDash A S_{2} \rightarrow_{\alpha^{+}}^{\gamma} A O_{1} \\ \mathcal{M}_{A c t_{2}} \vDash A S_{2} \rightarrow_{\alpha}^{\gamma}-A O_{2}\end{array}\right\} \nRightarrow$ Conflict $_{\mathcal{M}_{A c t_{1}}}^{M_{A c t_{2}}}$

(g) and (h) are two parallel authorizations. (g) describes the different authorization effects between upper resource attributes to upper subject attributes. The subject attribute AS₁ transfers the permit for AO₁ to the lower sub-attribute AS₂ via the CIR. Hence, there exists an $\mathcal{M}_{A c t_{1}}^{\prime}$ that allows AS₂ to access AO₁. For action sub-models $\mathcal{M}_{A c t_{1}}^{\prime}$ and $\mathcal{M}_{A c t_{2}}$, (g) can be transformed into atomic authorization (a). Therefore, the two rules will have no conflict.

(h) $\mathcal{M}_{A c t_{1}} \vDash A S_{1} \rightarrow_{\alpha^{-}}^{\gamma} A O_{1}, \mathcal{M}_{A c t_{2}} \vDash A S_{2} \rightarrow_{\alpha^{+}}^{\gamma} A O_{2}$

$\left\{\begin{array}{c}\mathcal{M}_{A c t_{1}} \Rightarrow \mathcal{M}_{A c t_{1}}^{\prime} \vDash A S_{2} \rightarrow_{\alpha^{-}}^{\gamma} A O_{1} \\ \mathcal{M}_{A c t_{2}} \vDash A S_{2} \rightarrow_{\alpha^{+}}^{\gamma} A O_{2}\end{array}\right\} \Rightarrow$Conflict$_{\mathcal{M}_{A c t_{1}}}^{M_{A c t_{2}}}$

Similar to the conflict analysis of (g), the subject attribute AS₁ in the case of (h) transfers the deny for AO₁ to the lower sub-attribute AS₂ via the CIR. Hence, there exists an $\mathcal{M}_{A c t_{1}}^{\prime}$ that denies AS₂ from accessing AO₁. For action sub-models $\mathcal{M}_{A c t_{1}}^{\prime}$ and $\mathcal{M}_{A C t_{2}}$, (h) can be transformed into (b). Therefore, the two rules will have conflict.

4.2 DDL-based conflict detection

From the above analysis on the types of rule conflicts, the possible situations of rule conflicts can be divided into four kinds of atomic authorizations (a)-(d). Based on the subject CIRs and inheritance of resource granularity, the cases (e)-(h) could be transformed into (a)-(b).

Among the four cases, no conflict will occur in (a), for the permit for coarse-grained resource attribute AO₁ cannot be transferred to lower fine-grained attribute AO₂. In the other three cases, rule conflicts may occur due to the presence of CIR and deny transfer to fine-grained attributes. To detect the conflicts between XACML rules, two issues must be taken into account: the CIRs and type of authorization between subject AS and resource AO.

To facilitate the description of the permit and deny in XACML rules, the action sub-model was divided into a set of positive interpretations $\mathcal{M}_{A c t}^{\text {Permit}} \equiv A S \rightarrow_{\alpha^{+}}^{\gamma} A O$ and a set of negative interpretations $\mathcal{M}_{A c t}^{D e n y} \equiv A S \rightarrow_{{\alpha}^-}^{\gamma}A O$. Depending on the authorization effect, the RAR with resource is included in different interpretation sets. In case (a), $\mathcal{M}_{A c t_{1}} \in \mathcal{M}_{A c t}^{\text {Permit}}$ and $\mathcal{M}_{A c t_{2}} \in \mathcal{M}_{A c t}^{D e n y}$. Besides, the subject attributes needed for each authorization action were represented by an interpretation of an instance sub-model $\mathcal{M}_{\text {instance}_P}^{\mathcal{F}}$, where $\mathcal{F}$ is the precondition made up of subject attributes. The authorized resource attributes were represented by another instance sub-model $\mathcal{M}_{\text {instance}_{E}}$. Next, the rule conflicts were detected from subject and resource attributes, respectively.

The inputs of Algorithm 1 include the positive RAR set $\mathcal{M}_{A c t}^{\text {Permit}}$ and the negative RAR set $\mathcal{M}_{A c t}^{D e n y}$, as well as the conceptual knowledge base TBox T. The algorithm detects the rule conflicts arising from the hierarchical inheritance of the resource attributes accessed by the subject, and returns a conflict symbol Conflict $_{M_{A c t_{1}}}^{M_{A c t_{2}}}$.

In Lines 1 and 2, positive RARs and negative RARs in the rules are traversed. The action sub-models are expressed as $\mathcal{M}_{A c t_{1}}$ and $\mathcal{M}_{A c t_{2}}$. If there exists an assignment $\gamma^{\mathcal{F}}$ that makes instance $\mathcal{M}_{\text {Instance}_{P}}$ satisfy the preconditions of $\mathcal{M}_{A c t_{1}}$ and $\mathcal{M}_{A c t_{2}}$ (Line 3), and if there exist concept sub-models $\mathcal{M}_{\text {Concept }_{E_{1}}}^{I}$ and $\mathcal{M}_{\text {Concept }_{E_{2}}}^{I}$ that satisfy instances among the authorization objects $\mathcal{M}_{\text {Instance}_{E_{1}}}$ and $\mathcal{M}_{\text {Instance}_{E_{2}}}$ of the rules (Line 4), then the satisfiability of the concept sub-models will be judged by TBox T. If TBox T contains the deny for fine-grained resource attributes, i.e. there exists a CIR $\mathcal{M}_{\text {Concept}_{E_{2}}} \sqsubseteq \mathcal{M}_{\text {Concept}_{E_{1}}}$, then the rules will conflict as in case (b).

Then, the conflicting action sub-models are processed: the permit $\mathcal{M}_{A c t_{2}}$ for fine-grained resource attributes is deleted to terminate the inheritance between resource attributes (Line 6). If there is a permit for coarse-grained resource attributes, or if the rule sets contain no assignment that meets the requirements, then the rule sets do not contain rule conflicts (Case a).

Algorithm 1 mainly detects the RAR conflicts arising from the inheritance between resource attributes (Cases a and b). The algorithm locates the conflicting rules, and calls the conflict mitigation function to handle these rules.

TBox provides a hierarchical relationship reflecting the concepts of resource attributes, and determines the existence of rule conflicts by verifying the $\subseteq$ relationship between resource attributes. This CIR belongs to the problem of concept consistency verification in description logic.

The rule conflicts arising from the hierarchy of subject attributes can also be detected by verifying the $\subseteq$ relationship (Algorithm 2).

Similar to those of Algorithm 1, the inputs of Algorithm 2 contain rule sets and the conceptual knowledge base. The algorithm detects the rule conflicts arising from the hierarchy of subject attributes, and returns a conflict symbol.

The algorithm firstly traverses the rule sets (Lines 1 and 2). Under the following conditions, the rules will have conflicts of types (c) and (d): there exist the assignments $\gamma^{\mathcal{F}_{1}}$ and $\gamma^{\mathcal{F}_{2}}$ among subject attributes that make instance sub-models $\mathcal{M}_{\text {Instance}_{P_{1}}}$ and $\mathcal{M}_{\text {Instance}_{P_{2}}}$ satisfy the preconditions of $\mathcal{M}_{A c t_{1}}$ and $\mathcal{M}_{A c t_{2}}$, respectively (Line 3); TBox T contains interpretations $\mathcal{M}_{{Concept}_{P1}}^{I}$ and $\mathcal{M}_{{Concept}_{P2}}^{I}$ that satisfy concept sub-models (Line 4); the concept sub-models have the CIR (Line 5).

Then, the conflicting rules are processed: the lower subject attributes are deleted to keep the consistency between the authorization of higher subject attributes (Line 6). If there is no CIR between subject attributes, then the rule sets will not face any rule conflict arising from the hierarchy of subject attributes.

The above-mentioned atomic RAR conflicts can be detected and resolved by the two algorithms. The complex and cross-authorizations can be handled similarly.

4.3 DDL-based reasoning

The DDL can reason about the ACR authorization based on the process and transfer, and provide the reasoning ability for the global rule library via the Tableau algorithm. In rule conflict detection, the reasoning mainly covers two aspects: if the rule conflict arises from the hierarchy of attributes, the key is to validate the CIR that interprets the instance sub-model; if the rule conflict arises from RAR transfer, the key is to verify the consistency between the assertion sets of RAR action and instance sub-models. These reasoning problems are comparable to the satisfiability problem and the consistency detection problem in the DDL [19, 20].

Definition 9. Concept sub-models $\mathcal{M}_{\text {Concept}_{1}}$ and $\mathcal{M}_{\text {Concept}_{2}}$ satisfy the CIR $\mathcal{M}_{\text {Concept}_{1}} \sqsubseteq \mathcal{M}_{\text {Concept}_{2}}$, if and only if TBox T contains an interpretation I that makes $\mathcal{M}_{\text {Concept }_{1}}^{I} \subseteq \mathcal{M}_{\text {Concept }_{2}}^{I}$.

Theorem 1. The CIR $\mathcal{M}_{\text {Concept}_{1}} \sqsubseteq_{T} \mathcal{M}_{\text {Concept}_{2}}$ holds between the concept sub-models in TBox T, if and only if $\mathcal{M}_{\text {Concept}_{1}}^{I} \sqcap \neg \mathcal{M}_{\text {Concept}_{2}}^{I}$ is unsatisfiable, i.e. $\mathcal{M}_{\text {Concept }_{1}}^{I} \sqcap \neg \mathcal{M}_{\text {Concept }_{2}}^{I}=\emptyset$.

If TBox T contains an interpretation I that makes two sub-models $\mathcal{M}_{\text {Concept}_{1}}$ and $\mathcal{M}_{\text {Concept}_{2}}$ satisfy the CIR, and if there exists a concept model $\mathcal{M}_{\text {Concept }_{1}}^{I} \sqcap \neg \mathcal{M}_{\text {Concept }_{2}}^{\text {I }} \neq \emptyset$ that satisfies T, then there exists an instance sub-model $\mathcal{M}_{\text {Instance}_{1}}^{I} \in \mathcal{M}_{\text {Concept}_{1}}^{I}$ that satisfies interpretation I. Due to the existence of the CIR, there also exists $\mathcal{M}_{\text {Instance}_{2}}^{I} \in \mathcal{M}_{\text {Concept}_{2}}^{I}$, which contradicts $\mathcal{M}_{\text {Instance}_{1}}^{I} \in \neg \mathcal{M}_{\text {Concept}_{2}}^{I}$. Hence, no such instance exists in $\mathcal{M}_{\text {Instance}_{1}}^{I} \sqcap \neg \mathcal{M}_{\text {Concept}_{2}}^{I}$.

Definition 10. If the two assertions $\mathcal{F}_{1}$ and $\mathcal{F}_{2}$ in instance sub-models $\mathcal{M}_{\text {Instance}_{1}}$ and $\mathcal{M}_{\text {Instance}_{2}}$ that transfer RAR results obey $\mathcal{F}_{1} \sqcap \mathcal{F}_{2}=\emptyset$, then the two instance sub-models are inconsistent, i.e. $\mathcal{M}_{\text {Instance}_{1}} \sqcap \mathcal{M}_{\text {Instance}_{2}}=\emptyset$.

The satisfiability verification of the DDL can be achieved by the Tableaux algorithm [19]. The reasoning verification of two concept or instance sub-models can be realized by the following rules.

Take the satisfiability verification of instance sub-models for example. By the following rules, an expansion set $\mathcal{E} \mathcal{S}$ of attributes can be extended from $\mathcal{M}_{\text {Instance}_{1}}$ and $\mathcal{M}_{\text {Instance}_{2}}$. Then, the satisfiability of the two sub-models can be evaluated by judging whether the expansion set brings rule conflicts. If the expansion set contains $\perp$, then the two sub-models are not satisfiable, and face rule conflicts.

П rule: If there exists an interpretation I in TBox T that makes $\mathcal{M}_{\text {Instance}_{1}}^{I} \sqcap \mathcal{M}_{\text {Instance}_{2}}^{I} \in \mathcal{E} \mathcal{S}$( $\mathcal{M}_{\text {Instance}_{1}}^{I} \notin \mathcal{E S}$, $\mathcal{M}_{\text {Instance}_{2}}^{I} \notin \mathcal{E} \mathcal{S}$), then $\left\{\mathcal{M}_{\text {Instance}_{1}}, \mathcal{M}_{\text {Instance}_{2}}\right\}$ should be expanded to $\mathcal{E} \mathcal{S}$;

$\sqcup$ rule: If there exists an interpretation I in TBox T that makes $\mathcal{M}_{\text {Instance}_{1}}^{I} \sqcup \mathcal{M}_{\text {Instance}_{2}}^{I} \in \mathcal{E} \mathcal{S}$( $\mathcal{M}_{\text {Instance}_{1}}^{I} \notin \mathcal{E S}$ , $\mathcal{M}_{\text {Instance}_{2}}^{I} \notin \mathcal{E} \mathcal{S}$), then $\mathcal{M}_{{\text {Instance}}_*}$ should be expanded to $\mathcal{E} \mathcal{S}$, where $\mathcal{M}_{\text {Instance}_{*}}=\mathcal{M}_{\text {Instance}_1}^{I}$ or $\mathcal{M}_{\text {Instance}_{*}}=\mathcal{M}_{\text {Instance}_2}^{I}$;

$\exists$ rule: If there exists an interpretation I in TBox T that makes $\exists R . \mathcal{M}_{\text {Instance}_{1}}^{I} \in \mathcal{E S}$, and $\nexists \mathcal{M}_{\text {Instance}_{2}}^{I}, R$$\left(\mathcal{M}_{\text {Instance}_{1}}^{I}, \mathcal{M}_{\text {Instance}_{2}}^{I} \in \mathcal{E} \mathcal{S}, \mathcal{M}_{\text {Instance}_{2}}^{I} \in \mathcal{E} \mathcal{S}\right)$, then $\left\{\mathcal{M}_{\text {Instance}_{2}}, R\left(\mathcal{M}_{\text {Instance}_{1}}, \mathcal{M}_{\text {Instance}_{2}}\right)\right\}$ should be expanded to $\mathcal{E} \mathcal{S}$;

$\forall$ rule: If there exists an interpretation I in TBox T that makes $\forall R . \mathcal{M}_{\text {Instance}_{1}}^{I} \in \mathcal{E} \mathcal{S}$, $\mathcal{M}_{\text {Instance}_{2}}^{I} \notin \mathcal{E S}$, then $\left\{\mathcal{M}_{\text {Instance}_{2}}\right\}$ should be expanded to $\mathcal{E} \mathcal{S}$;

Action $\alpha$ rule: If there exist an interpretation I in TBox T and an assignment set $\gamma^{\mathcal{F}}$ that make $\mathcal{M}_{\text {Instance}_{1}}^{I} \longrightarrow_{\alpha}^{\mathcal{F}} \mathcal{M}_{\text {Instance}_{2}}^{I}$( $\mathcal{M}_{\text {Instance}_{2}} \in \mathcal{E} \mathcal{S}$), then $\mathcal{M}_{\text {Instance}_{1}}$ should be replaced with $\mathcal{M}_{\text {Instance}_{2}}$ in $\mathcal{E} \mathcal{S}$.

Theorem 2. Reliability: The DDL-based rule conflict detection is reliable.

The DDL-based rule conflict detection method targets two kinds of rule conflicts in authorization: the conflicts arising from the hierarchy of attributes and those arising from the transfer of authorization.

For the first kind of rule conflicts, the implication and inheritance relationships that stem from the hierarchy of attributes can be converted by Algorithms 1 and 2 into the CIRs in TBox for satisfiability verification. The satisfiability problems can be solved by the Tableaux algorithm in description logic.

For the second kind of rule conflicts, the rule conflict detection can be converted by RAR transfer rules into the satisfiability problem of instance sub-models of the authorization results.

Action α rule is derived from the DDL description and reasoning mechanism. The correctness of the algorithm can be ensured by replacing elements in the extended set. Therefore, the DDL-based rule conflict detection must be correct.

Theorem 3. Decidability: The DDL-based rule conflict detection is decidable.

The above-mentioned rules can solve the rule conflict detection problem, for the problem can be converted into the satisfiability and consistency reasoning problems in the DDL. Among these rules, П, $\exists$ and $\forall$ rules can be completed in polynomial time. Despite the uncertainty of its completion time, $\sqcup$ rule is a complete binary tree in the worst-case scenario, which can be completed in a limited time. Action α rule contains replacement operations, which can also be completed in a limited time. The final judgement based on the extension set has two results $\perp$ and T. Therefore, The DDL-based rule conflict detection is decidable.