Greedy and Evolutionary Algorithms for Mining Relationship-Based Access Control Policies
This work addresses the cost reduction of policy migration for security administrators, though it appears incremental as it builds on existing access control frameworks.
The paper tackles the problem of automating the migration from legacy access control systems to relationship-based access control (ReBAC) by developing two algorithms—a greedy algorithm and a grammar-based evolutionary algorithm—to mine ReBAC policies from access control lists and attribute data, demonstrating their effectiveness in evaluations on sample policies and case studies.
Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which relationships are expressed using fields that refer to other objects, and path expressions are used to follow chains of relationships between objects. ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy from an existing access control policy and attribute data. This paper presents two algorithms for mining ReBAC policies from access control lists (ACLs) and attribute data represented as an object model: a greedy algorithm guided by heuristics, and a grammar-based evolutionary algorithm. An evaluation of the algorithms on four sample policies and two large case studies demonstrates their effectiveness.