Mining Attribute-Based Access Control Policies via Categorisation
摘要
Attribute-based Access Control (ABAC), which has come to prominence in recent years, offers flexible and fine-grained protection to organisational resources. However, it has been observed that ABAC policies are often difficult to engineer, review and maintain. Towards mitigating these challenges, we propose a policy mining approach that derives ABAC policies from access logs using a category-based metamodel for access control. Our miner, named MAPCat (Mining ABAC Policies via Categorisation), operates in two phases. In the first step, principals and resources are grouped into semantically coherent categories using natural language processing techniques. The access log entries are then used to refine these categories and synthesise the corresponding permission relations. Through categorisation, MAPCat generates policies that are compact and easy to analyse, while preserving original authorisation decisions. Experiments with two publicly available policy corpora demonstrate that the policies mined by MAPCat faithfully reproduce all the accesses already present in the logs and also generalise well towards handling future requests.