Mining Meaningful Role-Based and Attribute-Based Access Control Policies

Advanced models of access control, such as role-based access control (RBAC) and attribute-based access control (ABAC), offer important advantages over lower-level access control policy representations, such as access control lists (ACLs). However, the effort required for a large organization to migrate from ACLs to RBAC or ABAC can be a major obstacle to adoption of RBAC or ABAC. Policy mining algorithms partially automate the construction of advanced access control policies from ACL policies and possibly other information, such as user and resource attributes. These algorithms can greatly reduce the cost of migration to RBAC or ABAC. This dissertation presents several new policy mining algorithms.;First, this dissertation considers mining of role-based policies from ACL policies and possibly other information. The dissertation presents new and flexible algorithms for this problem. The algorithms can easily be used to optimize a variety of RBAC policy quality metrics, including metrics based on policy size, metrics based on interpretability of the roles with respect to user attribute data, and compound metrics that consider size and interpretability. In experiments with publicly available access control policies, one of our algorithms achieves significantly better results than previous work.;Next, this dissertation considers mining of parameterized role based policies. Parameterization significantly enhances the scalability of RBAC, by allowing more concise policies. This dissertation defined a parameterized RBAC (PRBAC) framework, in which users and permissions have attributes that are implicit parameters of roles and can be used in role definitions. Algorithms are presented for mining PRBAC policies from ACLs and attribute data. To the best of our knowledge, this is the first PRBAC policy mining algorithm. Evaluation on three small but non-trivial case studies demonstrates the effectiveness of our algorithm.;Finally, this dissertation considers mining of attribute-based policies. ABAC allows policies to be written in a concise, flexible, and high-level way. Three versions of the ABAC policy mining problem are considered, differing in the input: (1) mining ABAC policies from ACLs and attribute data, (2) mining ABAC policies from RBAC policies and attribute data, and (3) mining ABAC policies from operation logs and attribute data. Algorithms are presented for all three versions of the problem. Extensions of the algorithms to identify suspected noise in the input data are also described. To the best of our knowledge, these are the first ABAC policy mining algorithms. Evaluations on sample policies and synthetic policies demonstrate the effectiveness of our algorithms.