Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which relationships are expressed using fields that refer to other objects, and path expressions are used to follow chains of relationships between objects.ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy from an existing access control policy and attribute data. This paper presents two algorithms for mining ReBAC policies from access control lists (ACLs) and attribute data represented as an object model: a greedy algorithm guided by heuristics, and a grammar-based evolutionary algorithm. An evaluation of the algorithms on four sample policies and two large case studies demonstrates their effectiveness.An access control list (ACL) policy is a tuple CM , OM , Act, SP 0 , where CM is a class model, OM is an object model, Act is a set of actions, and SP 0 ⊆ OM × OM × Act is a subject-permission relation. Conceptually, SP 0 is the union of the resources' access control lists.An ReBAC policy π is consistent with an ACL policy CM , OM , Act, SP 0 if they have the same class model, object model, and actions and [[π]] = SP 0 .An ReBAC policy consistent with a given ACL policy can be trivially constructed, by creating a separate