A Decision Tree Learning Approach for Mining Relationship-Based Access Control Policies

TL;DR

This paper introduces decision tree-based algorithms, DTRM and DTRM-, for efficiently mining relationship-based access control policies from existing ACLs, enabling faster migration with comparable policy quality.

Contribution

The paper presents novel decision tree algorithms for ReBAC policy mining that outperform existing methods in speed and language richness.

Findings

Algorithms are significantly faster than state-of-the-art methods.

Achieve comparable policy quality to existing algorithms.

Capable of mining policies in a richer language.

Abstract

Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing, by allowing policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have the potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents new algorithms, called DTRM (Decision Tree ReBAC Miner) and DTRM$^-$, based on decision trees, for mining ReBAC policies from access control lists (ACLs) and information about entities. Compared to state-of-the-art ReBAC mining algorithms, our algorithms are significantly faster, achieve comparable policy quality, and can mine policies in a richer language.