Abstract—In distributed environments, access control decisions depend on statements of multiple agents rather than only one central trusted party. However, existing policy languages put few emphasis on authorization provenances. The capability of managing these provenances is important and useful in various security areas such as computer auditing and safeguarding delegations. Based on the newly proposed logic, we define one type of authorization provenances. We exemplify the applications of these provenances by a case study. Keywords-authorization provenance, authorization logic I. I Recently, major research efforts have applied logics into the design of policy languages to deal with distributed authorizations [1], [2], [4]. The set of policies written in a policy language is regarded as a policy base. When a principal requests resources, the request is translated to a query of the policy base. Then the access is granted if the answer to the query ...