EXTree: Towards Supporting Explainability in Attribute-based Access Control

TL;DR

EXTree is a novel approach that enhances explainability and efficiency in Attribute-based Access Control policies by structuring them as optimized decision trees for better feedback and understanding.

Contribution

The paper introduces EXTree, a method to create ABAC policy trees that improve both evaluation speed and human interpretability, addressing a key gap in access control systems.

Findings

EXTree achieves faster policy evaluation compared to traditional methods.

Entropy-based trees provide more meaningful explanations for access denial.

Experimental results show EXTree bridges the gap between complex logic and human understanding.

Abstract

With increasing emphasis on transparency in digital governance, users expect more than silence when their access requests are denied by a system. However, authorization methods are notorious for their inability to provide any form of meaningful feedback under such situations. This paper shows a direction towards how the problem of explainability can be mitigated in the context of Attribute-based Access Control (ABAC), arguably the most researched topic in access control in recent years. We introduce EXTree, which represents ABAC policies optimized for both fast evaluation (Efficiency) and human-centric feedback (Explainability) in the form of a tree. Two strategic dimensions are investigated, namely, Feedback Evaluation Strategies - how to craft actionable explanations when access is denied, and Tree Construction Strategies - how the policy trees should be structured for efficient yet interpretable decisions. Through extensive experiments, we compare entropy-based, changeability-based, and randomly generated trees across multiple configurations. Our results demonstrate that EXTree, built for efficiency and interpretability, can bridge the gap between complex authorization logic and human understanding.