Formal foundations for hybrid hierarchies in GTRBAC
of roles. We present a set of inference rules that can be used to generate all the possible derived rela- tions that can be inferred from a specified set of hierarchical relations and show that it is sound and complete. We also present an analysis of hierarchy transformations with respect to role addition, deletion, and partitioning, and show how various cases of these transformations allow the original permission acquisition and role-activation semantics to be managed. The formal results presented here provide a basis for developing efficient security administration and management tools.