AbstractThe scale and complexity of security policies in enterprise systems makes it difficult to ensure that they achieve higher-level security goals. This dissertation explores two important ways in which policy analysis can help: reachability analysis for administrative policies, and analysis of policy enforcement in enterprise systems. An administrative policy specifies how each user in an enterprise may change the policy. Fully understanding the consequences of an administrative policy can be difficult, because sequences of changes by different users may interact in unexpected ways. Administrative policy analysis helps by answering questions such as user-permission reachability, which asks whether specified users can together change the policy in a way that achieves a specified goal, namely, granting a specified permission to a specified user. This dissertation presents a rule-based access control policy language, a rule-based administrative policy model that controls addition and removal of rules and facts, and an abductive analysis algorithm for user-permission reachability. Abductive analysis means that the algorithm can analyze policy rules even if the facts initially in the policy (e.g., information about users) are unavailable. The algorithm does this by computing minimal sets of facts that, if present in the initial policy, imply reachability of the goal. Many security requirements for enterprise systems can be expressed in a natural way as high-level access control policies, but are not enforced by a single mechanism that directly interprets such policies. A high-level policy may refer to abstract information resources, independent of where the information is stored; it controls both direct and indirect accesses to the information; it may refer to the context of a request, i.e., the request's path through the system; and its enforcement point and enforcement mechanism may be unspecified. Enforcement of a high-level policy may depend on the system architecture and the configurations of a variety of security mechanisms, such as firewalls, database access control, and application-level access control. This dissertation presents a framework for expressing high-level policies, a method for verifying that a high-level policy is enforced, and an algorithm for determining a trusted computing base for each resource.