Mining Positive and Negative Attribute-Based Access Control Policy Rules

Mining access control policies can reduce the burden of adopting more modern access control models by automating the process of generating policies based on existing authorization information in a system. Previous work in this area has focused on mining positive authorizations only. That includes the literature on mining role-based access control policies (which are naturally about positive authorization) and even more recent work on mining attribute-based access control (ABAC) policies. However, various theoretical access control models (including ABAC), specification standards (such as XACML), and implementations (such as operating systems and databases) support negative authorization as well as positive authorization. In this paper, we propose a novel approach to mine ABAC policies that may contain both positive and negative authorization rules. We evaluate our approach using two different policies in terms of correctness, quality of rules (conciseness), and time. We show that while achieving the new goal of supporting negative authorizations, our proposed algorithm outperforms existing approach to ABAC mining in terms of time.