Generalized Mining of Relationship-Based Access Control Policies in Evolving Systems

Iyer, Padmavathi; Masoumzadeh, Amirreza

doi:10.1145/3322431.3325419

Cited by 16 publications

(9 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Graph based access control models [68,81,91] have used graphs to express hierarchical nature of user roles. Graph based frameworks have also been used to augment role based access control (RBAC) [69,70] and relation based access control (ReBAC) [60] systems and have application in operating systems. will.iam leverages the well-researched concepts of graph based access control to propose flexible and dynamic access control model for serverless platforms.…”

Section: Related Workmentioning

confidence: 99%

Workflow Integration Alleviates Identity and Access Management in Serverless Computing

Sankaran

Datta

Bates

2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 99%

Workflow Integration Alleviates Identity and Access Management in Serverless Computing

Sankaran

Datta

Bates

2020

Annual Computer Security Applications Conference

View full text Add to dashboard Cite

“…More detailed descriptions of these policies are available in [2]. The ABAC or ReBAC versions of these policies, or variants of them, have been used as benchmarks in several papers on policy mining, including [20,5,14,17,15,2].…”

Section: Datasetsmentioning

confidence: 99%

“…policy learning) algorithms have the potential to greatly reduce this cost, by automatically producing a draft high-level policy from existing lower-level data, such as access control lists or access logs. There is a substantial amount of research on role mining [21,10] and a small but growing literature on ABAC policy mining [25,24,20,22,10,9,14,17,8,19], and ReBAC policy mining [4,5,6,3,15,2,16].…”

Section: Introductionmentioning

confidence: 99%

“…Therefore, we developed an algorithm to solve this general problem, based on learning multi-way decision trees, and then adapted Bui and Stoller's Decision-Tree ReBAC Mining algorithms (DTRM and DTRM − ) to use that algorithm. We adopted their decision-tree based approach, because their algorithms are significantly faster, achieves comparable policy quality, and can mine policies in a richer language than other ReBAC mining algorithms such as FS-SEA* [3] and Iyer et al's algorithm [15], as demonstrated by their experiments [2].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Learning Attribute-Based and Relationship-Based Access Control Policies with Unknown Values

Bui¹,

Stoller²

2020

Preprint

View full text Add to dashboard Cite

Attribute-Based Access Control (ABAC) and Relationship-based access control (ReBAC) provide a high level of expressiveness and flexibility that promote security and information sharing, by allowing policies to be expressed in terms of attributes of and chains of relationships between entities. Algorithms for learning ABAC and ReBAC policies from legacy access control information have the potential to significantly reduce the cost of migration to ABAC or ReBAC. This paper presents the first algorithms for mining ABAC and ReBAC policies from access control lists (ACLs) and incomplete information about entities, where the values of some attributes of some entities are unknown. We show that the core of this problem can be viewed as learning a concise three-valued logic formula from a set of labeled feature vectors containing unknowns, and we give the first algorithm (to the best of our knowledge) for that problem.

show abstract

“…We chose ORAL as the basis for our policy language to facilitate comparison with existing work. ORAL [BSL17,BSL18,BSL19b,BSL19a] or a similar language [IM19] is used in all of the published work on ReBAC policy mining. The similarity of Iyer et al's policy language to ORAL is reflected in the fact that the policies used in their experiments are translations of parts of the ORAL policies used in [BSL19b].…”

Section: Introductionmentioning

confidence: 99%

Mining Relationship-Based Access Control Policies

Bui

Stoller

2017

Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which relationships are expressed using fields that refer to other objects, and path expressions are used to follow chains of relationships between objects.ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy from an existing access control policy and attribute data. This paper presents two algorithms for mining ReBAC policies from access control lists (ACLs) and attribute data represented as an object model: a greedy algorithm guided by heuristics, and a grammar-based evolutionary algorithm. An evaluation of the algorithms on four sample policies and two large case studies demonstrates their effectiveness.

show abstract

Generalized Mining of Relationship-Based Access Control Policies in Evolving Systems

Cited by 16 publications

References 18 publications

Workflow Integration Alleviates Identity and Access Management in Serverless Computing

Workflow Integration Alleviates Identity and Access Management in Serverless Computing

Learning Attribute-Based and Relationship-Based Access Control Policies with Unknown Values

Mining Relationship-Based Access Control Policies

Contact Info

Product

Resources

About