SoK: Access Control Policy Generation from High-level Natural Language Requirements

TL;DR

This paper systematically reviews existing tools and frameworks for generating access control policies from natural language requirements, aiming to improve their usability and reliability to prevent data breaches.

Contribution

It provides a comprehensive analysis of 49 publications to identify limitations in current access control policy generation methods, guiding future improvements.

Findings

Graphical tools are prone to human errors

Automated frameworks often produce erroneous policies

Identified key limitations to inform future research

Abstract

Administrator-centered access control failures can cause data breaches, putting organizations at risk of financial loss and reputation damage. Existing graphical policy configuration tools and automated policy generation frameworks attempt to help administrators configure and generate access control policies by avoiding such failures. However, graphical policy configuration tools are prone to human errors, making them unusable. On the other hand, automated policy generation frameworks are prone to erroneous predictions, making them unreliable. Therefore, to find ways to improve their usability and reliability, we conducted a Systematic Literature Review analyzing 49 publications, to identify those tools, frameworks, and their limitations. Identifying those limitations will help develop effective access control policy generation solutions while avoiding access control failures.