RAGent: Retrieval-based Access Control Policy Generation

TL;DR

RAGent is a retrieval-based framework that automates access control policy generation from high-level requirements, achieving high accuracy and reliability through retrieval-augmented generation and iterative verification.

Contribution

It introduces RAGent, a novel retrieval-based approach with verification-refinement, and provides three annotated datasets to advance access control policy automation.

Findings

Access requirement identification with 87.9% F1 score.

Policy translation with 77.9% F1 score.

Enhanced reliability to 80.6% F1 score through verification-refinement.

Abstract

Manually generating access control policies from an organization's high-level requirement specifications poses significant challenges. It requires laborious efforts to sift through multiple documents containing such specifications and translate their access requirements into access control policies. Also, the complexities and ambiguities of these specifications often result in errors by system administrators during the translation process, leading to data breaches. However, the automated policy generation frameworks designed to help administrators in this process are unreliable due to limitations, such as the lack of domain adaptation. Therefore, to improve the reliability of access control policy generation, we propose RAGent, a novel retrieval-based access control policy generation framework based on language models. RAGent identifies access requirements from high-level requirement specifications with an average state-of-the-art F1 score of 87.9%. Through retrieval augmented generation, RAGent then translates the identified access requirements into access control policies with an F1 score of 77.9%. Unlike existing frameworks, RAGent generates policies with complex components like purposes and conditions, in addition to subjects, actions, and resources. Moreover, RAGent automatically verifies the generated policies and iteratively refines them through a novel verification-refinement mechanism, further improving the reliability of the process by 3%, reaching the F1 score of 80.6%. We also introduce three annotated datasets for developing access control policy generation frameworks in the future, addressing the data scarcity of the domain.