Mining complex access control policies

Access control is one of the indispensable services of any information system responsible for protecting the underlying data from unauthorized access and inappropriate modifications. While it is possible to specify access control polices by enumerating every instance of authorized access (which subject may exercise what right on which object), such an approach is very tedious and error prone when it comes to maintaining the security policy of a system over time. As a remedy to this problem, modern access control policy models provide more abstract and flexible ways to specify authorizations.

What if we have already an access control policy implementation (e.g., access control lists - ACLs) and want to adopt a more modern and flexible model (e.g., attribute-based access control - ABAC)? It turns out that manually replicating an existing authorization policy in terms of a new policy model from scratch is laborious, error-prone and can lead to inefficient policies too. The policy mining problem is about developing algorithms to achieve this task in an automated and efficient manner.

In this project, we look into mining policies in the context of flexible access control policy models such as ABAC. The challenge is to develop algorithms that mine correct and concise policies in an acceptable time. One of the exciting subproblems that we are investigating is mining policies containing conflicting positive and negative authorization rules.

Mining negative authorization rules in attribute-based access control policies

People: Amir Masoumzadeh, Padmavathi Iyer
Related Publication:
  1. P. Iyer and A. Masoumzadeh, “Mining Positive and Negative Attribute-Based Access Control Policy Rules,” in Proc. 23rd ACM Symposium on Access Control Models and Technologies (SACMAT ’18) (to Appear), 2018.