An ASP Framework for the Refinement of Authorization and Obligation Policies

This paper introduces a framework for assisting policy authors in refining and improving their policies. In particular, we focus on authorization and obligation policies that can be encoded in Gelfond and Lobo's AOPL language for policy specification. We propose a framework that detects the statements that make a policy inconsistent, underspecified, or ambiguous with respect to an action being executed in a given state. We also give attention to issues that arise at the intersection of authorization and obligation policies, for instance when the policy requires an unauthorized action to be executed. The framework is encoded in Answer Set Programming. Under consideration for acceptance in TPLP.


Introduction
This paper introduces a framework for assisting policy authors in refining and improving the policies they elaborate.Here, by a policy we mean a collection of statements that describe the permissions and obligations related to an agent's actions.
In particular, we focus on authorization and obligation policies that can be encoded in the policy specification language AOPL by Gelfond and Lobo (2008).AOPL allows an author to specify policies for an autonomous agent acting in a changing environment.A description of the dynamic domain in terms of sorts of the domain, relevant fluents, and actions is assumed to be available to the policy writer.Policy rules of AOPL may be of two kinds: authorization rules specifying what actions are permitted/ not permitted and in which situations, and obligation rules indicating what actions an agent must perform or not perform under certain conditions.Rules can either be strict or defeasible, and preferences between defeasible rules can be set by the policy author.The semantics of AOPL is defined via a translation into Answer Set Programming (ASP) (Gelfond and Lifschitz 1991).Gelfond and Lobo define policy properties such as consistency and categoricity.However, there is a gap in analyzing what happens at the intersection between authorization and obligation policies, for instance when a policy requires an unauthorized action to be executed, which is called a modality conflict by Craven et al. (2009).
We propose a framework that detects the rules that make a policy inconsistent, underspecified, or ambiguous with respect to an action and a given state.The goal is to notify the policy author about the natural language statements in the policy that may be causing an issue and explain why that is the case for the particular action and state.
Given rapid advancements in AI in the past years, the importance of setting and enforcing policies on intelligent agents has become paramount.At the same time, policy specifications can become large and intricate.Thus, assisting policy authors and knowledge engineers with policy refinement by automatically detecting issues in a provably correct way and highlighting conflicting policy statements is of great importance.
The contributions of our work are as follows: • We define a new translation of AOPL policies into ASP by reifying policy rules.
• We formally define issues that may arise in AOPL policies and describe how to detect the causing policy statements, using the reified ASP translation.• We define means for explaining the root causes for issues like inconsistency, underspecification, ambiguity, and modality conflicts.
In what follows, we provide a short description of language AOPL in Section 2 and give a motivating example in Section 3. We describe our new translation of AOPL policies into ASP in Section 4 and introduce our framework in Section 5. We discuss related work in Section 6 and end with conclusions and future work.
2 Background: Language AOPL Let us now briefly present the AOPL language.We direct the unfamiliar reader to outside resources on ASP (Gelfond and Lifschitz 1991;Marek and Truszczynski 1999) and action language AL d (Gelfond and Inclezan 2013;Gelfond and Kahl 2014), which are also relevant to this work.Gelfond and Lobo (2008) 1 introduced the Authorization and Obligation Policy Language AOPL for specifying policies for an intelligent agent acting in a dynamic environment.A policy is a collection of authorization and obligation statements, which we simply call authorizations and obligations, respectively.An authorization indicates whether an agent's action is permitted or not, and under which conditions.An obligation describes whether an agent is obligated or not obligated to perform a specific action under certain conditions.An AOPL policy works in conjunction with a dynamic system description of the agent's environment written in an action language such as AL d .The signature of the dynamic system description includes predicates denoting sorts for the elements in the domain; fluents (i.e., properties of the domain that may be changed by actions); and actions.As in AL d , we consider dynamic systems that can be represented by a directed graph, called a transition diagram, containing a finite number of nodes representing physically possible states of the dynamic domain.A state is a complete and consistent set of fluent literals.Arcs in the transition diagram are labeled by action atoms (shortly actions) that take the system from one state to another.Actions can be elementary or compound, where a compound action is a set of elementary actions executed simultaneously.
The signature of an AOPL policy includes the signature of the associated dynamic system and additional predicates permitted for authorizations, obl for obligations, and prefer for establishing preferences between authorizations or obligations.A prefer atom is created from the predicate prefer; similarly for permitted and obl atoms.
Definition 1 (Policy) An AOPL policy P is a finite collection of statements of the form: where e is an elementary action; h is a happening (i.e., an elementary action or its negation2 ); cond is a (possibly empty) collection of atoms of the signature, except for atoms containing the predicate prefer; d appearing in (1e)-(1h) denotes a defeasible rule label; and d i , d j in (1i) refer to two distinct rule labels from P. Rules (1a)-(1d) encode strict policy statements, while rules (1e)-(1h) encode defeasible statements (i.e., statements that may have exceptions).Rule (1i) captures priorities between defeasible statements.In deontic terms, rules (1a) and (1e) denote permissions; rules (1b) and (1f) denote prohibitions; rules (1c) and (1g) denote obligations; and rules (1d) and (1h) denote dispensations.
The semantics of an AOPL policy determine a mapping P(σ ) from states of a transition diagram T into a collection of permitted and obl literals.To formally describe the semantics of AOPL, a translation of a policy and transition diagram into ASP is defined.

Definition 2 (ASP Translation of a Policy and State)
The translation l p is defined as: • If x is a fluent literal, action literal, permitted, or obl literal, then l p(x) = de f x .
• If L is a set of literals, then l p(L) = de f {l p(l) : l ∈ L} • If r = "l if cond" is a strict rule like the ones in (1a)-(1d), then l p(r) = de f l p(l) ← l p(cond) • If r is a defeasible rule like (1e) or (1f), or a preference rule "prefer(d i , d j )" like the one in (1i), then l p(r) is obtained using standard ASP techniques for encoding defaults, as shown in equations (2a), (2b), and (2c) respectively: ¬permitted(e) ← l p(cond), not ab(d), not permitted(e) (2b) where cond i is the condition of d i .Similarly for defeasible obligations (1g) and (1h).• If P is a policy, then l p(P) = de f {l p(st) : st ∈ P}.
• If P is a policy and σ is a state of the (transition diagram associated with the) dynamic system description T, l p(P, σ ) = de f l p(P) ∪ l p(σ ) Properties of an AOPL policy P are defined in terms of the answer sets of the logic program l p(P, σ ) expanded with appropriate rules.
The following definitions by Gelfond and Lobo are relevant to our work (original definition numbers in parenthesis).In what follows a denotes a (possibly) compound action (i.e., a set of simultaneously executed elementary actions), while e refers to an elementary action.An event σ , a is a pair consisting of a state σ and a (possibly) compound action a executed in σ . 3efinition 3 (Consistency -Def.3) A policy P for T is called consistent if for every state σ of T, the logic program l p(P, σ ) is consistent, i.e., it has an answer set.
Definition 4 (Policy Compliance for Authorizations -Defs.4 and 5) • An event σ , a is strongly compliant with authorization policy P if for every e ∈ a we have that permitted(e) ∈ P(σ ) (i.e., the logic program l p(P, σ ) entails permitted(e)).
• An event σ , a is weakly compliant with authorization policy P if for every e ∈ a we have that ¬permitted(e) / ∈ P(σ ) (i.e., the logic program l p(P, σ ) does not entail ¬permitted(e)).• An event σ , a is non-compliant with authorization policy P if for every e ∈ a we have that ¬permitted(e) ∈ P(σ ) (i.e., the logic program l p(P, σ ) entails ¬permitted(e)).
Definition 5 (Policy Compliance for Obligations -Def.9) An event σ , a is compliant with obligation policy P if • For every obl(e) ∈ P(σ ) we have that e ∈ a, and • For every obl(¬e) ∈ P(σ ) we have that e / ∈ a.
Definition 6 (Categoricity -Def.6) A policy P for T is called categorical if for every state σ of T the logic program l p(P, σ ) is categorical, i.e., has exactly one answer set.
Note that AOPL does not discuss interactions between authorizations and obligations referring to the same action, for instance situations when both obl(e) and ¬permitted(e) are part of the answer set of l p(P, σ ) for some state σ .

Motivating Example
To illustrate the policy refinement process that we want to facilitate, let's consider an example provided by Gelfond and Lobo, expanded with an additional rule 4): Example 1 (Authorization Policy Example) 1) A military officer is not allowed to command a mission they authorized.
2) A colonel is allowed to command a mission they authorized.
3) A military observer can never authorize a mission.4) A military officer must command a mission if ordered by their superior to do so.
Before discussing the encoding of this policy, let us assume that the description of this domain includes actions assume comm(C, M) and authorize comm(C, M); fluents autorized(C, M) and ordered by superior(C, M); and sorts colonel(C) and observer(C), where C is a commander and M is a mission.
In the English description of the policy in Example 1, note that statements 1) and 2) are phrased as strict rules and thus an automated translation process into AOPL would produce the policy: Such a policy is inconsistent in a state in which authorized(c, m) and colonel(c) both hold, due to rules (3a) and (3b).Gelfond and Lobo indicate that "[s]ince the nature of the first two authorization policy statements of our example are contradictory we naturally assume them to be defeasible" and replace the encoding in rules (3a) and (3b) with while leaving rule (3c) as it is.Rule (3d) is unaffected, as it corresponds to the new policy statement 4) that we added to the original example by Gelfond and Lobo, to illustrate obligations.This approach has several drawbacks: (a) it puts the burden on the knowledge engineer, who may have a more limited knowledge of the domain than the policy author and thus may make false assumptions; (b) it does not scale for large and intricate policies; and (c) it would be difficult to automate.Instead, we propose a framework that detects inconsistencies like the one above, alerts the policy author of the conflicting policy statements and the conditions that cause them, and allows the policy author to refine the policy (with options for refinement possibly suggested, in the future).In particular, for Example 1, we expect our framework to indicate that statements 1) and 2) are in conflict in a state in which both colonel(c) and authorized(c, m) are true.Similarly, our framework should flag the contradiction between the obligation in rule 4) and rule 1) in a state in which authorized(c, m) and ordered by superior(c, m) both hold.
To achieve this goal, we modify AOPL by introducing labels for all rules (including strict and preference rules)4 and connecting rules of AOPL with natural language statements of the original policy via a new predicate text as in the following example for the strict policy rule in (3c) where s 1 is the label for the strict authorization rule: text(s 1 , "A military observer can never authorize a mission.") Additionally, we define a different translation of AOPL into ASP, which we will denote by rei l p as it reifies policy rules.We define the rei l p translation in the next section.

Reification of Policy Rules
The new translation of AOPL into ASP that we propose follows previous methods for the reification of rules in other domains, such as reasoning about prioritized defaults (Gelfond and Son 1997) or belief states (Balduccini et al. 2020).Similar to the definition of the l p translation function, the signature of rei l p(P) for a policy P applying in a dynamic domain described by T contains the sorts, fluents, and actions of T. To simplify the presentation, we limit ourselves to boolean fluents and use the general syntax to refer to both strict and defeasible, authorization and obligation rules from P. We use the term head of rule r to refer to the hd part in (4), where hd ∈ HD, HD = e∈E {permitted(e), ¬permitted(e), obl(e), obl(¬e), ¬obl(e), ¬obl(¬e)} and E is the set of all elementary actions in T. The signature of rei l p(P) also includes the elements of HD and the following predicates: • rule(r) -where r is a rule label (referred shortly as "rule" below) • type(r,ty) -where ty ∈ {strict, defeasible, prefer} is the type of rule r • text(r,t) -to denote that rule r corresponds to policy statement t • head(r, hd) -to denote the head hd of rule r • body(r, b(r)) -where b(r) denotes the condition cond in rule r and b is a new function added to the signature of rei l p(P) • mbr(b(r), l) -for every l in the condition cond of rule r (mbr stands for "member") • ab(r) -for every defeasible rule r • holds(x) -where x may be a rule r, the head hd of a rule, function b(r) representing the cond of a rule r, literal l of T, or ab(r) from above • opp(r, hd) -where r is a defeasible rule and hd ∈ HD (opp stands for "opposite") • prefer(d 1 , d 2 ) -where d 1 and d 2 are defeasible rule labels The predicate holds helps determine which policy rules are applicable, based on what fluents are true/false in a state and the interactions between policy rules.The predicate opp(r, hd) indicates that hd is the logical complement of r's head hd.
The translation rei l p(P) consists of facts encoding the rules in P using the predicates rule, type, head, mbr, and prefer, as well as the set of policy-independent rules below, which define predicates holds and opp, where L is a fluent literal, E an elementary action, and H a happening (i.e., an elementary action or its negation).
Definition 7 (Reified ASP Translation of a Policy and State) Given a state σ of T, rei l p(P, σ ) = de f rei l p(P) ∪ {holds(l) : l ∈ σ }.
This definition will be used in conducting various policy analysis tasks in Section 5.
Proposition 1 (Relationship between the Original and Reified ASP Translations) Given a state σ of T, there is a one-to-one correspondence map : A → B between the collection of answer sets A of l p(P, σ ) and the collection of answer sets B of rei l p(P, σ ) such that if map(A) = B then ∀hd ∈ HD ∩ A, ∃holds(hd) ∈ B.

Policy Analysis
In what follows, we assume that the cond part of a policy rule cannot include atoms from the set HD (i.e., atoms obtained from predicates permitted and obl).We plan to consider more general policies in future work.Lifting this restriction complicates the task of finding explanations beyond the goal of the current work.

Analyzing Authorization Policies
Our goal in analyzing policies is to assist a policy author in refining their policies by indicating to them the rules that cause concern.Thus, when analyzing an authorization policy P with respect to an elementary action e in a state σ , we focus on the tasks: • Explain the causes of inconsistencies -determining the rules that cause a policy to derive both holds(permitted(e)) and holds(¬permitted(e)) when using the rei l p translation • Detect and explain underspecification -determining whether rules about e exist or not, and, if they exist, explain why they do not fire.(Craven et al. (2009) call this situation coverage gaps.)• Detect and explain ambiguity -determining whether there are conflicting defeasible rules that produce holds(permitted(e)) in some answer sets and holds(¬permitted(e)) in others, and indicating which rules these are.

Inconsistency
To detect and explain inconsistencies with respect to an elementary action e and state σ we introduce the following predicates: • inconsistency(e, r 1 , r 2 ) -indicates that the pair of rules r 1 and r 2 both fire and cause the inconsistency; r 1 produces permitted(e) and r 2 produces ¬permitted(e) • inconsistency expl(e,t 1 ,t 2 ) -does the same but indicates the natural language texts of the corresponding policy statements • inconsistency expl pos(e, l) -indicates that l is a fluent/static that holds in σ and contributes to the inconsistency in a rule that produces permitted(e) • inconsistency expl neg(e, l) -similar to the previous predicate, but for rules that produce ¬permitted(e) We define a logic program I consisting of the rules below: inconsistency(E, R1, R2) ← holds(permitted(E)), holds(¬permitted(E)), holds(R1), head(R1, permitted(E)), holds(R2), head(R2, ¬permitted(E))
Definition 8 (Inconsistency Redefined) An authorization policy P is inconsistent with respect to an elementary action e and a state σ if the answer set of rei l p(P, σ ) ∪ I contains inconsistency(e, r 1 , r 2 ) for a pair of rules r 1 and r 2 .
Definition 9 (Explaining the Causes of Inconsistency) • An explanation for the inconsistency of e in σ is the set of pairs of strings {(t 1 ,t 2 ) : inconsistency expl(e,t 1 ,t 2 ) ∈ rei l p(P, σ ) ∪ I}. • A fluent literal l contributes positively (or negatively) to the inconsistency of e in σ if the answer set of rei l p(P, σ ) ∪ I contains inconsistency expl pos(e, l) (or inconsistency expl neg(e, l), respectively).
The collection of atoms identified in Definition 9 can be collected from the answer set of rei l p(P, σ ) ∪ I and post-processed to provide more human-friendly output.

Underspecification
We define the notion of underspecification of an elementary action e in a state σ as the lack of explicit information as to whether e is permitted or not permitted in that state, similar to the concept of coverage gap defined by Craven et al. (2009).Note that underspecification is different from non-categoricity, where a policy may be ambiguous because e is deemed permitted in some answer sets and not permitted in others.
Definition 10 (Categoricity and Underspecification of an Action in a State) A consistent authorization policy P is categorical with respect to an elementary action e and state σ if one of the following cases is true: 1. rei l p(P, σ ) entails holds(permitted(e)), or 2. rei l p(P, σ ) entails holds(¬permitted(e)), or 3.For every answer set S of rei l p(P, σ ), {holds(permitted(e)), holds(¬permitted(e))} ∩ S = / 0 In this last case, we say that e is underspecified in state σ .
Underspecification is important because it may reflect an oversight from the policy author.If it's unintended, it can have negative consequences in planning domains for example, when an agent may want to choose the most compliant plan and thus actions that are mistakenly underspecified may never be selected.To test whether an action e is underspecified in a state, we define the set of rules Check und (e) consisting of the set of constraints: ← holds(¬permitted(e)) } Definition 11 (Detecting Underspecification) Action e is underspecified in σ if the logic program l p(P, σ ) ∪Check und (e) is consistent.
Whenever an elementary action is underspecified in a state, there may be two explanations: (Case 1) the authorization policy contains no rules about e, or (Case 2) rules about e exist in the policy but none of them apply in state σ .Once we establish that an elementary action is underspecified, we want to explain to the policy author why that is the case.For the first case, we just want to inform the policy author about the situation.In the second case, we want to report, for each authorization rule about e, which fluents make the rule non-applicable.Note that a defeasible rule r with head hd (see ( 4)) cannot be made unapplicable by the complement hd, as the complement is underivable as well in an underspecified policy.Similarly, a preference rule cannot disable a defeasible rule either, as this can only be the case when the complement hd can be inferred.
Let U be the logic program Definition 12 (Explaining the Causes of Underspecification) An explanation for the underspecification of e in σ is the set of atoms formed by predicates underspec 1 expl and underspec 2 expl found in the answer set of rei l p(P, σ ) ∪ U.
For a more human-friendly explanation, an atom underspec 1 expl("Case 1", e) in the answer set can be replaced with an explanation of the form "There are no authorization rules about e" in the post-processing phase.A collection of atoms of the form {underspec 2 expl("Case 2", e, r, l 1 ,t), . . ., underspec 2 expl("Case 2", e, r, l n ,t)} can be replaced with the explanation "Rule r about action e (stating that "t") is rendered inapplicable by the fact that fluent(s) l 1 , . . ., l n do not hold in this state."

Ambiguity
We define ambiguity as the case when the policy allows a choice between permitted(e) and ¬permitted(e).This notion of ambiguity overlaps with that of a non-categorical policy.However, given our assumption that permitted atoms are not included in the condition cond of policy rules, ambiguity is a much more specific case.We claim that, if P is a consistent, non-categorical policy with respect to e in σ (see Definition 10), then holds(permitted(e)) will be in some answer sets of rei l p(P, σ ) and holds(¬permitted(e)) will be in others, but it cannot be the case that an answer set does not contain either. 5he justification is that the body cond of policy rules is fully determined by the unique values of fluents in σ .Hence, strict rules either fire or do not.If a strict ruled fired, it would automatically override the defeasible rules with the complementary head, and thus lead either to inconsistency (depending on which other strict rules fire) or categoricity.The only source of non-categoricity can be the presence of defeasible rules with complementary heads and satisfied conditions, and which are not overriden by preference rules.
Definition 13 (Ambiguity of an Action in a State) Let P be a policy that is consistent and non-categorical with respect to elementary action e and state σ .Let rei l p(P, σ ) have n answer sets, out of which n p answer sets contain holds(permitted(e)) and n np contain holds(¬permitted(e)). P is ambiguous with respect to e and σ if n = n p , n = n np and n = n p + n np .
Next, let's describe how we detect ambiguity.
Definition 14 (Detecting Ambiguity) Action e is ambiguous in σ if holds(permitted(e)) and holds(¬permitted(e)) are not entailed by rei l p(P, σ ) and e is not underspecified in σ .
Once ambiguity is established, an explanation for ambiguity is needed.To produce it, we define the logic program A consisting of the rules: Definition 15 (Explaining the Causes of Ambiguity) An explanation for the ambiguity of e in σ is the set of pairs of strings: {(t 1 ,t 2 ) : ambiguity expl(e,t 1 ,t 2 ) ∈ rei l p(P, σ ) ∪ A}

Observation about Strongly vs Weakly Compliant Policies
Gelfond and Lobo distinguish between actions that are strongly compliant in a state versus weakly compliant (see Definition 4).In planning, as shown by Meyer and Inclezan (2021), it seems reasonable to prefer strongly compliant actions over weakly compliant ones.However, in the theorem below we show that the class of weakly compliant actions includes strongly compliant ones.What we really need for planning purposes is distinguishing between strongly compliant and underspecified actions in a state, so that we can create a preference order between actions.

Theorem 1 (Strongly vs Weakly Compliant Actions)
All elementary actions that are strongly compliant in a state σ are also weakly compliant.

Proof
Note that, in this proof, we consider the original l p translation of AOPL, which is equivalent with, but more convenient to use here than, the reified translation rei l p as stated in Proposition 1.According to Definition 4 borrowed from Gelfond and Lobo's work, elementary action e is strongly compliant with authorization policy P if l p(P, σ ) entails permitted(e), and it is weakly compliant if l p(P, σ ) does not entail ¬permitted(e).For consistent policies, the latter condition is obviously true if e is strongly compliant in σ , as having permitted(e) in every answer set of l p(P, σ ) implies that ¬permitted(e) must be absent from each such answer set.If the policy is inconsistent, the theorem is vacuously true.
Given our assumption that permitted (and obl) atoms cannot appear in the cond part of policy rules, an elementary action e can only be either strongly compliant in σ or underspecified. 6e formulate the following proposition, which is useful in creating an ordering of actions based on compliance (relevant in planning).
Proposition 2 (Properties of Authorization Policies) • If condition cond of authorization rules is not allowed to contain permitted (or obl) atoms and P is categorical with respect to e and σ , then e is either strongly compliant, non-compliant, or underspecified in σ .
• If condition cond of authorization rules is not allowed to contain permitted (or obl) atoms and P is non-categorical with respect to e and σ , then e is neither strongly compliant nor noncompliant; it may be either underspecified or ambiguous.

Obligation Policy Analysis
The techniques from Section 5.1 for determining rules that create inconsistencies, underspecification, and ambiguity with respect to an elementary action and a state can be easily adapted to obligation policies as well.Obligation policies apply to happenings, which are actions or their negations.For instance, given an elementary action e, the following literals are part of the signature of the policy: obl(e), obl(¬e), ¬obl(e), and ¬obl(¬e).Inconsistencies between obl(e) and ¬obl(e) on one hand, or between obl(¬e) and ¬obl(¬e) are easy to detect.However, there are additional incongruencies that may decrease the quality of a policy, and we may want to alert the policy writer about them as well.
For instance, if a policy P entails both obl(e) and obl(¬e) in a state σ , then any event σ , a will be non-compliant, no matter whether e ∈ a or e / ∈ a.In actuality, it means that the policy does not allow for the agent to be compliant with respect to obligations in state σ .Thus the notions of inconsistency and ambiguity should be adapted or expanded to include this situation.We propose the following definition: Definition 16 (Conflicting Policy) Given a consistent obligation policy P, a state σ and an elementary action e, we call P a conflicting obligation policy with respect to σ and e if the logic program rei l p(P, σ ) entails both holds(obl(e)) and holds(obl(¬e)).
Explanations for conflicting obligation policies can be found using techniques similar to the ones in Section 5.1.

The Intersection between Authorization and Obligation Policies
When combining an authorization policy with an obligation policy, there are a few cases that, while not necessarily inconsistent, certainly seem to require non-compliant behavior from the agent.This is especially the case when an event σ , e is strongly-compliant with the obligation policy but non-compliant with the authorization policy (i.e., in terms of the original translation l p of AOPL into ASP, l p(P, σ ) entails both obl(e) and ¬permitted(e) according to Definitions 5 and 4).Other situations that may require the policy authors' attention, though to a lesser degree, are when an action is permitted but the agent is obligated not to execute it (i.e., l p(P, σ ) entails both permitted(e) and obl(¬e)) or when the agent is obligated to execute an action that is underspecified in that state.We indicate the level of urgency of each of these situations by adding a number from 1 to 3, with 1 being the most needing of re-consideration and 3 being the least urgent.
Once it has been established that the policies are strongly compliant, non-compliant, or underspecified with respect to the state and elementary action, the following ASP rules determine which policy rules need to be re-visited.2015).An agent's behavior was ensured to be compliant with authorization and obligation policies specified in AOPL and translated into ASP.Meyer and Inclezan's work first highlighted the issues that may arise at the intersection between AOPL authorization and obligation and policies.In the APIA architecture, conflicts of this nature were resolved by modifying the policy's ASP encoding to state that such conflicts render a policy inconsistent.In the current work our intention is to alert policy authors about such situations and provide them with the opportunity to decide which policy statements to modify in order to restore consistency.Additionally, in the current work we delve deeper into the tasks associated with policy analysis and look at underspecification and ambiguity as well.We also focus on providing explanations as to why such issues arise.Craven et al.'s work (2009) is the closest to ours in its intent.The authors define language L for policy specification and include both authorization and obligation policies.They define a solid set of tasks that an automated analysis of a policy should accomplish, such as discovering modality conflicts and coverage gaps, which we target in our work as well.Their research assumes that the underlying dynamic domain is specified in Event Calculus (Kowalski and Sergot 1989).Explanations are found via an abductive constraint logic programming proof procedure.Given the absence of a comparison between languages L and AOPL, it is important to study the problem of policy analysis with respect to language AOPL as well.AOPL has clear advantages, including its ability to express defeasible policies and preferences between policies.Moreover, AOPL can be seamlessly integrated with ASP-based dynamic system descriptions, as different properties of AOPL policies can be checked by finding the answer sets of an ASP program.This would allow coupling policies with system descriptions specified in higher-level action languages that translate into ASP, such as the modular action language ALM (Inclezan and Gelfond 2016), and associated libraries about action and change (Inclezan 2016;Inclezan 2019).
Other research on policy modeling or analysis using ASP exists, but the goals tend to be different from ours.Corapi et al. (2011) use inductive logic programming and software engineeringinspired processes to assist policy authors with policy refinement.In their work, refinement suggestions are provided, but this process is driven by use cases that need to be manually created.As a result, the quality of the resulting policy depends on the quality and coverage of the use cases that are provided as an input.In turn, our approach is meant to be more comprehensive and transparent, as it is guided by the policy rules themselves.Another work that uses ASP for policy modeling is that of De Vos et al. (2019).Their work encompasses the same types of policies as AOPL, but their focus is on compliance checking and providing explanations for the compliance or non-compliance of events.In contrast, we focus on policy analysis, not compliance checking; our explanations highlight potential problems with a policy and indicate statements that need to be refined.Pellegrini et al. (2019) present a framework called DALICC for comparing and resolving compatibility issues with licenses.The goal of their framework is more narrow than ours in the sense that it only focuses on licences and not normative statements in general.For a survey on other policy analysis methods and tools, not necessarily ASP-related, we direct the reader to the paper by Jabal et al. (2019).
In general, in the policy specification and analysis community, there is a intense focus on access control policies, which may involve the Role-Based Access Control (RBAC) model outlined by Ferraiolo et al. (2001); the Attribute-Based Access Control Model (ABAC) explored for instance by Davari and Zulkernine (2021) and Xu et al. (2016); or the Category-based Access Control Model explored by Alves and Fernández (2014).A secondary focus falls on policies for the management of computer systems.In contrast, AOPL is more general and could be used to represent social norms, for example.
Finally, our work touches upon explainability and finding the causes of issues encountered in AOPL policies.To find even deeper causes that reside in the inner-workings of the dynamic system, we can leverage existing work on explainability in reasoning about action and change, such as the research by LeBlanc et al. (2019); planning domains, as in the work by Vasileiou et al. (2022); or logic programming in general, including research by Fandinno and Schultz (2019) or Cabalar et al. (2020).

Conclusions
In this paper we introduced a framework for analyzing policies described in the language AOPL with respect to inconsistencies, underspecification, ambiguity, and modality conflict.We reified policy rules in order to detect which policy statements cause the particular issue and (if relevant), which fluents of the domain contribute to such problems.In doing so, we defined new properties of AOPL policies and took a special look at what happens at the intersection of authorization and obligation policies.
As part of future work, we plan to create a system that implements this framework in a way that is user-friendly for policy writers and knowledge engineers.We also intend to extend the framework by lifting some of the simplifying restrictions that we imposed here, for instance by studying the case when there is incomplete information about a state or allowing permitted and obl atoms in the conditions of policy rules.