Implementing Security Policies in Software Development Tools

Disclosed is an access and information flow control framework that includes a series of phases. The first phase includes: receiving raw authorization requirement(s); creating authorization requirement representation(s) from the raw authorization requirement(s) using a language; and analyzing the authorization requirement representation(s) to ensure that they are consistent and conflict-free. The second phase includes: creating case authorization(s) from the authorization requirement representation(s) and validating consistency between the authorization requirement representation(s) and the use case authorization(s). The use case authorization may be created by propagating the authorization requirement representation(s) to a subject hierarchy; enumerating implicit authorization(s) derived from the authorization requirement representation(s); resolving inconsistencies in the use case authorization(s); and completing incomplete use case authorization(s). The third phase includes: receiving raw information flow requirement(s); creating information flow requirement representation(s) from the raw information flow requirement(s) using a language; creating propagated information flow requirement(s) by propagating the information flow requirement representation(s) to a subject hierarchy; creating at least one enumerated information flow requirement by enumerating possible direct and indirect information flow requirement(s) derived from the information flow requirement representation(s) and the propagated information flow requirement”; generating filtered enumerated information flow requirement(s) by filtering enumerated information flow requirement(s); and ensure that the filtered enumerated information flow requirement(s) are consistent with an information flow policy. The fourth phase includes: creating operation authorization(s); resolving inconsistencies in the operation authorization(s); and ensuring that the operation authorization(s) are conflict-free; and handling errors in any of the earlier phases.