Access control is extensively used as security technology to prevent unauthorized access to protected information and system resources in accordance with a policy. However, the formulation of such policies is a complicated task and requires a lot of technical knowledge. This task can therefore only be performed by security experts but not by the persons that are familiar with the business domain for which the access shall be controlled.
This thesis introduces therefore a policy language that expresses the access control behavior on a higher abstraction level --- on the business level. The level elevation is achieved by formulating the policies around the data itself and its meaning to the business. The business meaning is introduced by formalizing business concepts and classifying the data according to these concepts.
On top of this new policy language, this thesis proposes a number of analysis algorithms that may be performed by the policy authors in order to answer common questions that arise during the authoring process and to simulate an evaluation of the policies. Moreover, since the authoring of access control policies is not a task that is performed by a single person, a policy delegation mechanism is proposed that allows multiple authors to formulate their policies collaboratively. In order to enable an enforcement of the policies in an existing IT infrastructure without making any changes to the infrastructure, it is shown how the policies on the business level are translated into the standardized policy language XACML.
Finally a prototype of a user friendly policy editor and analyzer is created that puts all the pieces together in one tool. This tool enables non-technical policy authors to formulate policies on the business level collaboratively and to perform the introduced analysis algorithms on the policies. To facilitate the formulation of the policies for the non-technical authors, significant emphasis was put on the usability aspect of the prototype.