Towards Harnessing the Power of LLMs for ABAC Policy Mining

TL;DR

This study evaluates the potential of Large Language Models to automatically generate Attribute-based Access Control policies, revealing their effectiveness in small scenarios and limitations as system complexity grows.

Contribution

It provides an empirical assessment of LLMs for ABAC policy mining, highlighting their capabilities and challenges in scalable access control policy synthesis.

Findings

LLMs can effectively infer compact ABAC policies for small-scale scenarios.

Accuracy and precision decline as the number of subjects and objects increases.

Generated policies tend to be larger and less optimal in complex environments.

Abstract

This paper presents an empirical investigation into the capabilities of Large Language Models (LLMs) to perform automated Attribute-based Access Control (ABAC) policy mining. While ABAC provides fine-grained, context-aware access management, the increasing number and complexity of access policies can make their formulation and evaluation rather challenging. To address the task of synthesizing concise yet accurate policies, we evaluate the performance of some of the state-of-the-art LLMs, specifically Google Gemini (Flash and Pro) and OpenAI ChatGPT, as potential policy mining engines. An experimental framework was developed in Python to generate randomized access data parameterized by varying numbers of subjects, objects, and initial policy sets. The baseline policy sets, which govern permission decisions between subjects and objects, serve as the ground truth for comparison. Each LLM-generated policy was evaluated against the baseline policy using standard performance metrics. The results indicate that LLMs can effectively infer compact and valid ABAC policies for small-scale scenarios. However, as the system size increases, characterized by higher numbers of subjects and objects, LLM outputs exhibit declining accuracy and precision, coupled with significant increase in the size of policy generated, which is beyond the optimal size. These findings highlight both the promise and limitations of current LLM architectures for scalable policy mining in access control domains. Future work will explore hybrid approaches that combine prompt optimization with classical rule mining algorithms to improve scalability and interpretability in complex ABAC environments.