Abstract
Successful deployment of attribute-based access control requires the process of policy engineering which involves constructing a set of appropriate rules, known as a policy. Policy engineering is performed either by a top-down approach that may ignore some of the existing accesses in the organization or a bottom-up approach that may form rules which are not relevant to the organizational processes. In this work, we propose a hybrid approach toward policy engineering that addresses the limitations of the top-down and the bottom-up approaches while preserving their individual advantages.