Access control policy is typically de ned in terms of attributes,
but in many applications it is more natural to de-
ne permissions in terms of relationships that resources, systems,
and contexts may enjoy. The paradigm of relationshipbased
access control has been proposed to address this issue,
and modal logic has been used as a technical foundation.
We argue here that hybrid logic { a natural and wellestablished
extension of modal logic { addresses limitations
in the ability of modal logic to express certain relationships.
Also, hybrid logic has advantages in the ability to e ciently
compute policy decisions relative to a relationship graph.
We identify a fragment of hybrid logic to be used for
expressing relationship-based access-control policies, show
that this fragment supports important policy idioms, and
study its expressiveness. We also capture the previously
studied notion of relational policies in a static type system.
Finally, we point out that use of our hybrid logic removes
an exponential penalty in existing attempts of specifying
complex relationships such as \at least three friends".