Alloy Access Control

access_policies.als

one sig Person {
  roles: set Role
}


sig Role {}

sig Resource {
  , access: set Person + Role
  , parent: lone Resource
}

fact "No cycles" {
  no r: Resource |
		r in r.^parent
}


pred can_access[p: Person, r: Resource] {
	direct_access[p, r] or role_access[p, r]
}


pred direct_access[p: Person, r: Resource] {
	p in (r.access + r.parent.access)
}

pred role_access[p: Person, r: Resource] {
	some role: p.roles |
		role in (r.access + r.parent.access)
}

some_direct_access: run {some p: Person, r: Resource | direct_access[p, r]}
some_role_access: run {some p: Person, r: Resource | role_access[p, r]}

assert access_rules {
	all p: Person, r: Resource |
		can_access[p, r] => direct_access[p, r] or role_access[p, r]
}

//if you can access the parent, you can access all its children
assert parent_implies_child {
	all p: Person, r: Resource |
		can_access[p, r] => all child: parent.r | can_access[p, child]
}


check access_rules
check parent_implies_child

A counterexample to parent_implies_child, showing it's possible to access a parent without being able to access that parent's child: