TY - CHAP
T1 - Automated Generation and Update of Structured ABAC Policies
AU - Bamberger, Anna
AU - Fernández, Maribel
N1 - Publisher Copyright:
© 2024 Owner/Author.
PY - 2024/6/21
Y1 - 2024/6/21
N2 - We present a new access control policy generation algorithm that also offers a solution to the policy update problem. The algorithm generates structured attribute-based access control policies, more precisely, it generates a categorisation of principals and resources based on attribute values, together with rules that specify permissions for categories of principals on categories of resources. To facilitate the identification of user profiles associated with granted and denied requests, the algorithm generates both positive and negative categories (defining authorisations and prohibitions, respectively). The input for the algorithm is a set of access request logs together with attributes of entities in the system, and optionally an existing policy. If only logs are provided as input, the algorithm generates a policy that is consistent with the input logs (i.e., the mined policy includes the authorisations and prohibitions that occur in the logs). If instead the algorithm is used to update an existing policy, then it is sufficient to provide as input the policy and examples of authorisations and prohibitions that the updated version of the policy should include. To illustrate the algorithm, we describe its application to a public ICU health metric data set.
AB - We present a new access control policy generation algorithm that also offers a solution to the policy update problem. The algorithm generates structured attribute-based access control policies, more precisely, it generates a categorisation of principals and resources based on attribute values, together with rules that specify permissions for categories of principals on categories of resources. To facilitate the identification of user profiles associated with granted and denied requests, the algorithm generates both positive and negative categories (defining authorisations and prohibitions, respectively). The input for the algorithm is a set of access request logs together with attributes of entities in the system, and optionally an existing policy. If only logs are provided as input, the algorithm generates a policy that is consistent with the input logs (i.e., the mined policy includes the authorisations and prohibitions that occur in the logs). If instead the algorithm is used to update an existing policy, then it is sufficient to provide as input the policy and examples of authorisations and prohibitions that the updated version of the policy should include. To illustrate the algorithm, we describe its application to a public ICU health metric data set.
KW - attribute-based access control
KW - category-based access control
KW - policy generation
KW - policy update
UR - http://www.scopus.com/inward/record.url?scp=85197209664&partnerID=8YFLogxK
U2 - 10.1145/3643650.3658608
DO - 10.1145/3643650.3658608
M3 - Conference paper
AN - SCOPUS:85197209664
T3 - SaT-CPS 2024 - Proceedings of the 2024 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems
SP - 31
EP - 40
BT - SaT-CPS 2024 - Proceedings of the 2024 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems
PB - Association for Computing Machinery, Inc
T2 - 4th ACM Workshop on Secure and Trustworthy Cyber-Physical Systems, SaT-CPS 2024, held in conjunction with the 14th ACM Conference on Data and Application Security and Privacy, CODASPY 2024
Y2 - 21 June 2024
ER -