[摘要] Access control represents an important part of security in software systems, since accesscontrol policies determine which users of a software system have access to what objects and operations and under what constraints. One can view access control models as providing the basis for access control rules. Further, an access control policy can be seen as a combination of one or more rules, and one or more policies can be combined into a set of access control policies that control access to an entire system. The rules and resulting policies can be combined in many different ways, and the combination of rules and policies are included in policy languages.Approaches to access control (AC) policy languages, such as XACML, do not provide aformal representation for specifying rule- and policy-combining algorithms or for classifying and verifying properties of AC policies. In addition, there is no connection between the rules that form a policy and the general access control and business models on which those rules are based.Some authors propose formal representations for rule- and policy-combining algorithms.However, the proposed models are not expressive enough to represent formally classes of algorithms related to history of policy outcomes including ordered-permit-overrides, ordered-deny-overrides, and only-one-applicable. In fact, they are not able to express formally any algorithm that involves history including the class related to consensus such as weak-consensus, weak-majority, strong-consensus, strong-majority, and super-majoritypermit. In addition, some other authors propose a formal representation but do not present an approach and automated support for the formal verification of any classes of combining algorithms.The work presented in this thesis provides a uniform formal approach to business andaccess control models, policies and their combinations. The research involves a new formal representation for access control rules, policies, and their combination and supports formal verification. In addition, the approach explicitly connects the rules to the underlying access control model. Specically, the approach• provides a common representation for systematically describing and integrating business processes, access control models, their rules and policies,• expresses access control rules using an underlying access control model based on anexisting augmented business modeling notation,• can express and verify formally all known policy- and rule-combining algorithms, aresult not seen in the literature,• supports a classification of relevant access control properties that can be verified against policies and their combinations, and• supports automated formal verification of single policies and combined policy setsbased on model checking.Finally, the approach is applied to an augmented version of the conference management system, a well-known example from the literature. Several properties, whose verification was not possible by prior approaches, such as ones involving history of policy outcomes, are verified in this thesis.