A Model-Driven Approach for the Specification and Analysis of Access Control Policies