Relationship-based access control (ReBAC) provides a high level ofexpressiveness and flexibility that promotes security and information sharing.We formulate ReBAC as an object-oriented extension of attribute-based accesscontrol (ABAC) in which relationships are expressed using fields that refer toother objects, and path expressions are used to follow chains of relationshipsbetween objects. ReBAC policy mining algorithms have potential to significantly reduce thecost of migration from legacy access control systems to ReBAC, by partiallyautomating the development of a ReBAC policy from an existing access controlpolicy and attribute data. This paper presents an algorithm for mining ReBACpolicies from access control lists (ACLs) and attribute data represented as anobject model, and an evaluation of the algorithm on four sample policies andtwo large case studies. Our algorithm can be adapted to mine ReBAC policiesfrom access logs and object models. It is the first algorithm for theseproblems.
展开▼
