We propose a formal framework for the specification and validation of security policies. A security policy responds to the authorisation requests of a system according to a certain number of rules and to the configuration of the system at the moment of the request. A system constrained by a security policy consists of two parts: on one hand, the set of rules describing the way the decisions are taken and on the other hand, the information used by the rules and the way they evolve in the system. We call the former the policy rules and the latter the security system. Policy rules are constrained rewrite rules, whose constraints are safe first-order formulas on finite domains, which provides enhanced expressive power compared to classical security policy specification approaches like the ones using Datalog, for example. Our specifications have an operational semantics based on transition and rewriting systems and are thus executable. This framework also provides a common formalism to define, compare and compose security systems and policies. We define transformations over security systems in order to perform validation of classical security properties.