The use of the Unified Modeling Language (UML)for specifying security policies is attractive because it is expressive and has a wide user base in the software industry. However, there are very few mature tools that support rigorous analysis of UML models. Alloy is a formal specification language that has been used to rigorously analyze security policies, but few practitioners have the background needed to develop good Alloy models. We propose a new approach to policy analysis in which designers use UML at the front-end to describe their security policies and the Alloy Analyzer is used at the backend to analyze the modeled properties. The UML-to-Alloy and Alloy-to-UML transformations obviate the need for security designers to understand the Alloy specification language. The proposed approach supports the analysis of both functional and structural aspects of security policies.