We analyze the safety question for the Non-Monotonic Transform NMT model, an access control model that encompasses a wide variety of practical access control mechanisms. In general, safety analysis, i.e whether it is possible for a speci ed subject to obtain a given access right for a certain object, is computationally intractable, even for many monotonic models. We identify one-representable NMT schemes and argue that they have tractable safety analysis. Safety analysis of one-representable schemes considers exactly one representative of each type of subject in the initial state, and thus the complexity of safety analysis is independent of the total number of subjects in the system. We demonstrate by example that one-representable schemes admit applications of practical interest, and that safety analysis guides the construction of such schemes.
Ravi S. Sandhu, Paul Ammann