“…As such, ABAC supports rules such as identity-based permissions, roles, ownership, time, location, consent and breaking-the-glass procedures. Secondly, the most widely-used language for attribute-based policies XACML [1] additionally allows to combine multiple attribute-based rules in a single policy as a tree, a concept also present in the literature (e.g., [4,12]). As illustrated in Figure 1, each element in such a policy tree defines to which requests it applies and how the results of its children should be combined, e.g., a permit overrides a deny.…”