Abstract-Traditional policies often focus on access control requirement and there have been several proposals to define access control policy algebras to handle compositions and interactions. Recently, obligations are increasingly being expressed as part of security policies. However, their compositions and interactions have not yet been studied adequately. In this paper, we propose a policy algebra capturing both access control and obligation policies. The algebra consists of two policy constants and six basic operations. It provides language independent mechanisms to manage policies. As a concrete example, we instantiate the algebra for the Ponder2 policy language.