Mining Attribute-based Access Control Policies
This work addresses the cost and effort of migrating to ABAC for organizations, offering a novel automation solution in access control management.
The paper tackles the problem of automating the development of Attribute-based Access Control (ABAC) policies from existing access control lists or role-based policies, presenting the first ABAC policy mining algorithm that iteratively constructs, generalizes, and refines candidate rules to generate a policy.
Attribute-based access control (ABAC) provides a high level of flexibility that promotes security and information sharing. ABAC policy mining algorithms have potential to significantly reduce the cost of migration to ABAC, by partially automating the development of an ABAC policy from an access control list (ACL) policy or role-based access control (RBAC) policy with accompanying attribute data. This paper presents an ABAC policy mining algorithm. To the best of our knowledge, it is the first ABAC policy mining algorithm. Our algorithm iterates over tuples in the given user-permission relation, uses selected tuples as seeds for constructing candidate rules, and attempts to generalize each candidate rule to cover additional tuples in the user-permission relation by replacing conjuncts in attribute expressions with constraints. Our algorithm attempts to improve the policy by merging and simplifying candidate rules, and then it selects the highest-quality candidate rules for inclusion in the generated policy.