Our approach is to use a stateful policy, which can be divided into three sets of condition rules that must be satisfied before, during and after the access right is exercised. Furthermore, evaluation of some conditions must be activated only if the authorization request is granted (or denied).

Thus, all conditions in our framework are classified as:

The post-conditions along with the request-result conditions are useful to fine tune audit and notification services.

To enforce the security policies we adopted the three-phase policy enforcement scheme. During each phase only the specified set of all conditions in the policy is evaluated.

In our framework, the condition evaluation process is totally ordered. The order has to be assessed before condition evaluation starts. Determining the correct order of the conditions in the policy statement is an important issue.