1 Introduction
IT systems with advanced security requirements increasingly apply problem-specific security policies for describing, analyzing and implementing security properties (?;?;?;?). In order to precisely describe security policies, formal security models such as (?; ?;?; ?) are applied, allowing for formal analyses of security properties and serving as specifications from which policy implementations are generated (?).