Improving Transaction Success Rate by Detecting and Correcting Access Control Misconfigurations

摘要

Security and availability are often contradictory goals to achieve in large organizations. In the context of databases, if too conservative access control policies are adopted, a large number of transactions are likely to be rejected due to inadequate user privileges. On the other hand, a liberal access control policy violates the principle of least privilege. However, it is impractical for a system administrator to correctly assign privileges to a large set of resources to a large number of users. In this paper, we attempt to achieve both the above goals by automatically detecting and correcting any access control misconfigurations. Using historical transaction data, we build associations between user-object, user-user, and object-object. The information so derived is used to handle any transactions that have been denied access due to misconfigurations.