Session: Research Track - ABAC
Mining Positive and Negative Attribute-Based Access Control
Policy Rules
Padmavathi Iyer
University at Albany – SUNY
Albany, New York
[email protected]
[email protected]
ABSTRACT
Mining access control policies can reduce the burden of adopting
more modern access control models by automating the process of
generating policies based on existing authorization information in
a system. Previous work in this area has focused on mining positive
authorizations only. That includes the literature on mining role-
based access control policies (which are naturally about positive
authorization) and even more recent work on mining attribute-
based access control (ABAC) policies. However, various theoretical
access control models (including ABAC), specification standards
(such as XACML), and implementations (such as operating systems
and databases) support negative authorization as well as positive
authorization.
In this paper, we propose a novel approach to mine ABAC policies
that may contain both positive and negative authorization rules.
We evaluate our approach using two different policies in terms of
correctness, quality of rules (conciseness), and time. We show that
while achieving the new goal of supporting negative authorizations,
our proposed algorithm outperforms existing approach to ABAC
mining in terms of time.
CCS CONCEPTS
• Security and privacy → Access control; Authorization;
KEYWORDS
attribute-based access control; policy mining; negative authoriza-
tion; authorization conflicts
ACM Reference format:
Padmavathi Iyer and Amirreza Masoumzadeh. 2018. Mining Positive and
Negative Attribute-Based Access Control Policy Rules. In Proceedings of The
23rd ACM Symposium on Access Control Models & Technologies (SACMAT),
Indianapolis, IN, USA, June 13–15, 2018 (SACMAT ’18), 12 pages.
https://doi.org/10.1145/3205977.3205988
1 INTRODUCTION
Access control is one of the indispensable services of any informa-
tion system responsible for protecting the underlying data from
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than the
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from
[email protected]
. 9]. XACML policy language [6], a widely used standard for spec-
SACMAT ’18, June 13–15, 2018, Indianapolis, IN, USA
© 2018 Copyright held by the owner/author(s). Publication rights licensed to Associa-
tion for Computing Machinery.
ACM ISBN 978-1-4503-5666-4/18/06. . . $15.00
https://doi.org/10.1145/3205977.3205988
161
SACMAT’18, June 13-15, 2018, Indianapolis, IN, USA
Amirreza Masoumzadeh
University at Albany – SUNY
Albany, New York
unauthorized access and inappropriate modifications [8]. Attribute-
based access control (ABAC), as one of the more recent models for
specifying access control policies, has been shown to overcome
major limitations in previous models [10]. Unlike discretionary
access control (DAC) or mandatory access control (MAC) models,
ABAC is not dependent on user identities or rigid rules to determine
authorizations as in DAC and MAC. Also, by allowing composition
of flexible rules, it avoids problems such as role explosion [10] in
role-based access control (RBAC). As the name suggests, ABAC
models employ the attributes of users and resources to determine
if an access request should be granted or denied, that is, attribute
expressions are used to specify the sets of users and resources to
which a policy is applicable [12, 22, 28]. For example, a policy such
as "A manager can read any document in his/her department" may
be directly translated to an ABAC policy: "if userType=manager,
resourceType=document, userDepartment=resourceDepartment, ac-
tion=read then PERMIT". Thus, compared to traditional access con-
trol models, ABAC is very flexible in specifying access control
policies, which makes ABAC a powerful access control model for
promoting security.
We explore the problem of mining ABAC policies in this paper.
Suppose an organization has already implemented some form of
access control and wants to migrate to ABAC paradigm. Specifying
ABAC policies manually from the existing access control infor-
mation can be a time-consuming and error-prone job. To reduce
the burden and expense of this task, the process of extracting poli-
cies from the given access control information can be partially or
completely automated. This approach of automating the policy
generation process is called policy mining. Mining RBAC policies,
aka role mining, has been heavily studied in recent years [18]. Re-
cently, Xu and Stoller have proposed an approach for mining ABAC
policies [27, 26].
One of the limitations of policy mining approaches in the liter-
ature, addressing which is a central contribution of this paper, is
lack of support for mining negative authorization rules. An ABAC
policy can comprise of a set of positive and negative authorization
rules, which grant or deny applicable access requests, respectively.
Simultaneous use of positive and negative authorization rules are
useful in situations when exceptions to more general rules need
to be expressed, or when authorization rules with clonflicting out-
comes originated from different viewpoints may have overlap. Be-
side ABAC, various other access control models in the literature
allow expressing both positive and negative authorizations [13, 3,
ifying and enforcing access control policies, also supports them.
Negative authorizations have been also supported in products such
as operating systems [21], web servers [1], and database systems [2].
Session: Research Track - ABAC
Therefore, it is essential for an access control mining approach to
be able to mine policies that may contain both positive and negative
authorization rules. We note that although policy mining has been
largely studied in the context of RBAC, due to lack of support for
negative authorization in RBAC, naturally no previous work in that
area addresses this problem [18]. The work by Xu and Stoller [27,
26], in the context of ABAC, also supports only mining policies
with positive rules.
In this paper, we propose an algorithm for mining ABAC policies
that can extract positive as well as negative authorization rules
from a given access control information. Rather than designing
an algorithm from scratch, we adopt an existing rule mining algo-
rithm from the data mining literature, called PRISM [4], and extend
that to capture positive and negative authorization rules simultane-
ously. Therefore, compared to previous work [27, 26], our algorithm
provides a more systematic and less heuristic approach to mining
access control rules that not only extracts negative authorizations
but also performs better in terms of time. Our key contributions in
this paper are as follows.
• We propose an algorithm for mining ABAC policies that, to
the best of our knowledge, is a first of its kind approach to
extract negative authorization rules in addition to positive
authorization rules in the access control mining literature.
• We present a detailed approach to generate an authorization
log that is needed as input to the mining algorithm, in case
it is not readily available for a system.
• We implement a prototype and conduct experiments on the
performance of our algorithm in terms of correctness and
conciseness of the mined rules and the time taken to generate
them. We demonstrate that, when the original (ground truth)
policy includes negative authorization rules, our algorithm
generates concise set of rules, which is not possible using
previous work [27, 26]. Moreover, our algorithm outperforms
previous work in terms of time in both cases of positive-only
and positive-and-negative authorization policies.
The rest of the paper is organized as follows. Section 2 discusses
our reference policy model that we use for specifying ABAC poli-
cies. In Section 3, we discuss about the design goals and challenges,
and formally define the ABAC policy mining problem. Section 4
will describe the proposed ABAC policy mining algorithm in depth
along with its time complexity. We discuss about an approach to
generate complete authorization log in Section 5. In Section 6, we
run experiments to test our proposed algorithm and analyze the re-
sults. Section 7 discusses related work in the field of policy mining
and how our approach is novel compared to previous contribu-
tions. Finally, in Section 8, we provide additional discussions and
conclusions.
2 ABAC POLICY MODEL
In this section, we present a specification and authorization seman-
tics for ABAC policies that will be the basis for defining the policy
mining problem and its proposed solution in this paper.
2.1 Policy Specification
An ABAC policy usually contains a disjunctive set of rules com-
prising attribute expressions on users and resources, actions, and
162
SACMAT’18, June 13-15, 2018, Indianapolis, IN, USA
applicable decisions. In the rest of this section, we generally use up-
percase letters for denoting a set and lowercase letters for notating
an element in a set.
Let U be the set of users in the system and R be the set of re-
sources. A user is characterized by a set of attributes. Let UATTR
be the set of user attributes. To get the value of an attribute for
a user, we use the notation u.uattr, where uattr ∈ UATTR is the
name of the user attribute. Like a user, a resource is characterized
by a set of attributes, which will be denoted as RATTR. Given a
resource attribute rattr ∈ RATTR, the value of that attribute for a
resource is denoted by r.rattr. Let the domain of an attribute be the
set of all possible values that the attribute can take. The domain
of an attribute attr ∈ UATTR ∪ RATTR is denoted by dom(attr). For
simplicity, we consider only categorical attributes in this work. We
assume that every user and resource in the system has a unique
identifier attribute, defined by uid and rid, respectively. Authoriza-
tions in an ABAC system are determined for actions requested by
users over resources. Let ACT be the set of all possible actions in
the system.
The main components of an ABAC rule are attribute expressions
that together (in a conjunctive format) determine the sets of users
and resources to which a rule applies. An attribute expression can
be either an attribute-value pair or an attribute-attribute pair. An
attribute-value pair specifies the value corresponding to a user or
resource attribute for the given rule to be applicable. An attribute-
value pair for a user attribute uattr and a value val is expressed as
u.uattr = val and that for a resource attribute rattr and a value val
is denoted as r.rattr = val. The followings are examples of attribute-
value pairs:
• u.department = CS
• r.type = transcript
In the above examples, the first attribute-value pair indicates the
set of users whose department is CS, while the second attribute
pair indicates the set of resources whose type is transcript.
An attribute-attribute pair specifies a pair of user and resource
attributes that need to match for the rule to be applicable. Formally,
an attribute-attribute pair can be expressed as u.uattr = r.rattr,
where uattr ∈ UATTR and rattr ∈ RATTR. An example of attribute-
attribute expression is as follows:
• u.department = r.department
In the above example, the attribute expression is satisfied by that
set of users and resources where user department is the same as
resource department.
Similar to attribute expressions, in particular attribute-value
pairs, an ABAC rule includes an action expression that is denoted
by action = act, where act ∈ ACT . Such an expression determines
the access requests to which a rule will be applicable based on the re-
quested action. Finally, each ABAC rule includes a rule effect, which
is interpreted as granting applicable requests (PERMIT) or denying
them (DENY). Given the abovementioned components, an ABAC rule
is formally defined as a pair ⟨ϕ, d⟩ where ϕ is a conjunctive set of at-
tribute expressions and action expression and d ∈ {PERMIT, DENY}
Session: Research Track - ABAC
is the rule effect. We use the following grammar for rule specifica-
tion in this paper:
rule ::= ⟨ϕ, d⟩
ϕ ::= exp [; exp ]
exp ::= u.uattr = value |
r .rattr = value |
u.uattr = r .rattr |
action = value
d ::= PERMIT | DENY
The followings are some examples of ABAC rules:
• ⟨u.position = faculty; u.chair = true; r .type = transcript;
u.department = r .department; action = read_transcript,
PERMIT⟩
• ⟨u.position = manager; u.department = accounts;
r .type = budget; action = approve, DENY⟩
The first example above is an example of a positive rule, according
to which a user who is a faculty and chair of a department can
perform read_transcript operation on all the transcripts in his/her
department. On the other hand, the second example is an illus-
tration of a negative rule, according to which if a manager from
the accounts department tries to approve the budget of a project
(project is a resource in this case), then he/she will be denied access.
As mentioned earlier, an ABAC policy is a disjunctive set of
rules. We denote the complete set of rules in an ABAC policy by ρ.
Along with the authorization rules, an ABAC policy also includes a
default decision and a conflict resolution strategy. A default decision
applies when none of the rules in the policy are applicable to an
access request. A conflict resolution strategy applies when there is
an overlap between positive and negative authorization rules. In
other words, if both PERMIT and DENY rules are applicable to an
access request, then the conflict resolution strategy of the policy
decides the final decision for that access request [15, 16, 11].
In the context of this paper, in order to avoid overcomplicating
our discussion about policy mining, we assume DENY as the default
decision and deny-overrides as the conflict resolution strategy.
2.2 Authorization Process
An authorization request is a tuple ⟨u ∈ U , r ∈ R, a ∈ ACT ⟩ indicat-
ing the requesting user, requested resource and action, respectively.
Given an ABAC policy as described in Section 2.1, an ABAC autho-
rization system evaluates each policy rule’s expressions based on
the request and determines if the rule is applicable to the request or
not. There are three possible scenarios based on such a matching
process:
• the access request matches with one or more rules in the
policy, all of which contain the same access decision; or
• the access request matches with more than one rule in the
policy but the access decisions of those rules are conflicting,
i.e., include both PERMIT and DENY decisions; or
• the access request does not match with any rule in the policy.
The first scenario is quite straightforward. In this case, the autho-
rization decision returned by the rule(s) in the policy. In the second
scenario, the final authorization decision is resolved according to
163
SACMAT’18, June 13-15, 2018, Indianapolis, IN, USA
the conflict resolution strategy of the policy. For example, if the
conflict resolution strategy of the policy is deny-overrides, then
only one applicable DENY rule in the policy is sufficient to make
the final authorization decision to be DENY. Finally, in the third
scenario above, the default decision of the policy determines the
authorization result. For example, if the default decision of the pol-
icy is DENY, then the system denies an access request if the request
is not applicable with any of the rules in the policy.
3 PROBLEM STATEMENT
In this section, we present our design considerations and challenges
for mining ABAC policies that include both positive and negative
rules, and formulate the ABAC policy mining problem.
As input to the policy mining process, we consider a low-level
log of authorization decisions in a system, which indicates autho-
rization decision (PERMIT or DENY) for any given access by a user
to a resource. Since our goal is to mine rules based on user and
resource attributes, such a log needs to be accompanied (and aug-
mented) by attributes of users and resources involved in the log
entries. Such an access log may be accumulated by and retrieved
from a working authorization system (e.g., as in collected in audit
logs or for the sole purpose of mining). Also, in some cases, we
may have an already existing access control policy specified using
other models such as role-based access control (RBAC [7]) or simple
access control lists (ACL [20]). In such cases, based on the existing
policy, we may generate the desired log using an authorization
engine or a log conversion process in case of simple models such
as ACL.
A central design consideration and contribution of this work is
coexistence of positive and negative rules in a mined policy. Ability
to specify both positive and negative rules is desirable in cases such
as handling simple exceptions (e.g., all but one department should
be able to access a file) or implementing strict requirements for
a group of users/resources (e.g., all employees on administrative
leave should not be able to access any resource). This requirement
brings on new challenges for mining ABAC policies compared to
when mining positive rules only. In order to discuss better about
the challenges, we illustrate two sample abstract policies as Venn
diagrams in Figure 1. Here, the universe represents all possible
access requests and corresponding decisions in the system. Each
policy rule has been represented as a circle determining set of access
instances to which it is applicable. As such, various overlapping
situations can exist among policy rules. An overlap area indicates
access instances with multiple applicable policies. As explained in
Section 2.2, overlap can lead to a conflict situation if rules result in
different decisions. For example, Figure 1(a) represents partial over-
laps between two positive rules as well as overlap of the negative
rules with the positive rules. Here, negative rules are proper subset
of positive rules which may be used to specify exceptions to some
permissions. For example, it can be the case that every student
except students in the CS department can view the courselist:
• ⟨u.position = student; actions = view_course_list, PERMIT⟩
• ⟨u.position = student; u.department = CS;
actions = view_course_list, DENY⟩
Figure 1(b) shows another example where a negative rule overlaps
with multiple positive rules.
Session: Research Track - ABAC
Universal DENY PERMIT space
(a)
Figure 1: Policy spaces demonstrating PERMIT rules, conflicting DENY rules, and DENY space as default decision (a) Conflicting
DENY rules are proper subset of PERMIT rules; and, (b) DENY rules conflict with more than one PERMIT rule.
Looking at the above examples from the viewpoint of a policy
mining algorithm, which only sees a flat access log data, it is chal-
lenging to discover the rules when both positive and negative rules
exist. The solution needs to discern DENY cases that are result of
applying negative rules versus those that are result of applying the
default rule. Note that we consider DENY as the default decision in
this paper as explained in Section 2.1, . In Figure 1 the non-shaded
area outside of the rules represents cases to which the default policy
applies while the crossed areas represent cases when a negative
rule results in DENY. Figure 1(b) highlights another desired char-
acteristic for our solution. Rather than trying to generate three
different specific negative rules, each corresponding to the crossed
DENY pieces that are cut out of the positive rules, we need to be able
to detect that they belong to one more general negative rule.
Finally, a policy mining solution should strive for deriving a
policy that is as concise as possible as they are more manageable
and easier to interpret. In terms of an ABAC policy, we would
like to create less number of rules as well as creating rules with
less number of expressions (more general rules). Previous work on
mining ABAC policies [26] have adopted the notion of Weighted
Structural Complexity (WSC), previously defined in the context of
RBAC policy mining [19], as a metric for this purpose. We adopt the
same notion here. Informally, WSC of an ABAC policy is the sum
of weights of all of its rules, where each rule’s weight is calculated
as the weighted sum of the number of expressions in that rule.
Mathematically, WSC of an ABAC policy composed of the ruleset
ρ is given as:
Õ
WSC(ρ) = WSC(rule)
rule ∈ρ
WSC(rule) = w1 |α | + w2 |β | + w3 |γ |
where α, β and γ are, respectively, sets of attribute-value pairs,
attribute-attribute pairs, and action expressions in rule’s ϕ. More-
over, wi s are user-specified weights that adjust their contribution
to rule’s conciseness.
164
SACMAT’18, June 13-15, 2018, Indianapolis, IN, USA
DENY within PERMIT space
(b)
Based on the abovementioned considerations, we define the
ABAC policy mining problem as follows. The ABAC policy mining
problem accepts a complete authorization log (augmented with
attributes) as input and extracts an ABAC policy (Section 2.1) that
is concise and consistent with the authorization log. Based on the
notations discussed in Section 2.1, the authorization log is a set
of records, each indicating attribute values of a requesting user
(UATTR), attribute values of requested resource (RATTR), an action
(ACT ), and corresponding access decision (PERMIT or DENY). In this
work, we assume a complete log as input, meaning that every po-
tential combination of attribute values are provided in the log (or
otherwise assumed and set to be equal to the default DENY decision).
As the correctness criterion, the mined policy must be consistent
with the input authorization, i.e., the authorization of a log entry
according to the mined policy and the semantics described in Sec-
tion 2.2 must result in the same access decision as in the log entry.
As the quality criterion, a solution to the mining problem must aim
for policies that are as concise as possible. We quantify performance
towards achieving this goal using the abovementioned WSC metric.
4 MINING ABAC POLICIES
In this section, we propose an approach for mining ABAC policies
that include both positive and negative rules based on the policy
model discussed in Section 2. Our proposed algorithm follows a
systematic flow to mine optimal rules, as shown in Figure 2, avoid-
ing heuristic and sub-optimal procedures as much as possible. The
flow starts with mining positive rules, but also discovers conflicting
negative rules simultaneously as a subprocess. In the following, we
present our algorithm and analyze its time complexity.
4.1 Positive/Negative Rule Mining Algorithm
In order to mine attribute-based rules from authorization logs, we
adopt concepts from a rule mining algorithm, called PRISM [4].
Session: Research Track - ABAC SACMAT’18, June 13-15, 2018, Indianapolis, IN, USA

Calculate best Find subset of log

Start Access Control Log Initialize a rule attribute expression based on α x and
(α x ) for PERMIT add α x to rule
Yes

Log contains Mine-able Subset contains

Generalize No No No
PERMIT DENY rule in only PERMIT
DENY rules instances? subset? instances?

Yes Yes
Stop Remove the Add the PERMIT rule and the Add the PERMIT
Mined ABAC ruleset
subset from log conflicting DENY rule to ruleset rule to ruleset

Figure 2: Flow chart of the proposed ABAC policy mining algorithm

The backbone of PRISM algorithm is induction strategy for find- Algorithm 1: mineRules
ing the attribute-value pair, α x , which yields highest conditional Input :loд (complete authorization log)
probability for a particular classification, δn , that is, for which Output : List of rules
P(δn | α x ) is maximum. In context of this paper, conditional proba- 1 decision_col ← дetLastCol(loд)
bility P(δn | α x ) is the probability of occurrence of PERMIT or DENY 2 while PERMIT ∈ decision_col do
decision, δn , for a given attribute expression, α x . 3 X ← loд
At a high level our ABAC policy mining algorithm works in an it-
4 Y ← decision_col
erative manner as shown in Algorithm 1. The input to the algorithm
5 ϕ←∅
is an authorization log (augmented with user/resource attributes)
as described in Section 3. The getLastCol function returns all the 6 while DENY ∈ Y do
access decisions, in order, from the input dataset. The outer while 7 (attr , val, prob) ← findAttrValPair (X , PERMIT)
loop runs until the log does not contain any PERMIT instances, to 8 coveraдe1 = lenдth(дetInstances(X , attr , val))
ensure that all positive rules have been mined. The inner while 9 (attr 1, attr 2, prob2) ← findAttrAttrPair (X , PERMIT)
loop runs until a subset of the log contains all PERMIT instances or 10 coveraдe2 = lenдth(дetInstances(X , attr 1, attr 2))
a conflicting DENY rule is encountered. Basically, the inner while 11 if prob = prob2 and coveraдe1 > coveraдe2 then
loop is used to mine either a positive rule or a pair of positive and 12 (expr _LHS, expr _RHS) ← (attr , val)
conflicting DENY rules. Within the inner loop, lines 7-17 returns the 13 else if prob2 < prob then
attribute expression, either attribute-value or attribute-attribute 14 (expr _LHS, expr _RHS) ← (attr , val)
pair, that yields the highest conditional probability for PERMIT. If 15 else
equal probabilities are encountered, then the one with larger cover- 16 (expr _LHS, expr _RHS) ← (attr 1, attr 2)
age is returned. An attribute expression has larger coverage over 17 ϕ.add(expr _LHS = expr _RHS)
another if the number of instances in the dataset that contains 18 X ← дetInstances(X , expr _LHS, expr _RHS)
the former is greater than that for latter. The selected attribute
19 Y ← дetLastCol(X )
expression is then added to the positive rule. getInstances function
20 deny_rule ← f indDenyRule(X , ϕ, Y )
returns a subset of the log containing those instances that satisfy
the selected attribute expression. Within this subset, existence of a 21 if deny_rule! = null then
conflicting DENY rule is checked using findDenyRule function (Al- 22 ruleset.add(deny_rule)
gorithm 4). If it does, the conflicting DENY rule is added to ruleset 23 break
and the inner loop breaks. Otherwise, inner loop repeats over the 24 ruleset.add(⟨ϕ, PERMIT⟩)
subset created in the previous iteration, until the subset comprises 25 loд.removeInstances(ϕ)
of only PERMIT instances. Lines 24-25 add PERMIT rule, which is 26 decision_col ← дetLastCol(loд)
created by taking the conjunction of all selected attribute expres- 27 ruleset ← дeneralizeDenyRules(ruleset, loд)
sions in the inner loop, to the ruleset, and remove all instances from
the log that are covered by this rule. generalizeDenyRules function
(Algorithm 5) generalizes all the negative rules in the ruleset by
removing redundant attribute expressions from those rules. The Algorithms 2 and 3 manifest two functions for returning attribute
output of the ABAC policy mining algorithm is a set of positive expressions, attribute-value pair and attribute-attribute pair, with
and conflicting negative rules. highest conditional probability for PERMIT. The inputs to both these
functions are the same. The loop in the findAttrValPair function

165
Session: Research Track - ABAC SACMAT’18, June 13-15, 2018, Indianapolis, IN, USA

Algorithm 2: findAttrValPair Algorithm 4: findDenyRule

Input :X (log of access requests and decisions), class Input :X (log of access requests and decisions), ϕ (a permit
(PERMIT or DENY) rule), Y (list of decisions for access requests in X )
Output : Attribute-Value pair Output : A deny rule
1 (maxProb, attr, val) ← (0, null, null) 1 f laд ← f alse
2 for i ← 1 to (numAttributes(X )-1) do 2 decision_col ← дetLastCol(X )
3 foreach j ∈ getUniqueValues(X .getColumn(i)) do 3 while not(getUniqueValues(decision_col) = {DENY}) do
4 prob ← P(class | i j ) 4 (attr , val, prob) ← getAttrExp (X , DENY)
5 if maxProb < prob then 5 coveraдe = lenдth(дetInstances(X , attr , val))
6 (maxProb, attr, val) ← (prob, i, j) 6 (expr _LHS, expr _RHS) ← (attr, val)
7 else if maxProb = prob then 7 if дetU niqueV alues(X .дetColumn(attr )) ≡ dom(attr )
8 if attr = null and val = null then then
9 (attr , val) ← (i, j) 8 ϕ.add (expr _LHS = expr _RHS)
10 else if lenдth(дetInstances(X , attr , val)) < 9 f laд ← true
lenдth(дetInstances(X , i, j)) then 10 X ← дetInstances(X , rule_LHS, rule_RHS)
11 (maxProb, attr , val) ← (prob, i, j) 11 decision_col ← дetLastCol(X )
12 return (attr , val, maxProb)
12 if f laд = f alse then
13 return (null)
14 else if coveraдe = lenдth(дetInstances(Y , DENY)) then
Algorithm 3: findAttrAttrPair
15 return (⟨ϕ, DENY⟩)
Input :X (log of access requests and decisions), class
16 else
(PERMIT or DENY)
17 return (null)
Output : Attribute-Attribute pair
1 uAttr ← getUserAttributes(X )
2 rAttr ← getResourceAttributes(X )
Algorithm 5: generalizeDenyRules
3 (maxProb, attr 1, attr 2) ← (0, null, null)
Input :ruleset (initial ruleset from mining algorithm), loд
4 for i ← 1 to (numAttributes(uAttr )-1) do
(complete authorization log)
5 for j ← 1 to (numAttributes(rAttr )-1) do
Output : Final ruleset with generalized deny rules
6 prob ← P(class | [i, j])
1 covered_instances ← ∅
7 actual_i ← getActualIndex(i, X )
2 foreach rule ∈ ruleset do
8 actual_j ← getActualIndex(j, X )
3 if rule.d = DENY then
9 if maxProb < prob then 4 coveraдe ← дetRuleCoveraдe(rule)
10 (maxProb, attr 1, attr 2) ←
5 if coveraдe ⊆ covered_instances then
(prob, actual_i, actual_j) 6 ruleset .remove(rule)
11 else if maxProb = prob then 7 else
12 if attr 1 = null and attr 2 = null then 8 foreach attrExp ∈ rule do
13 (attr 1, attr 2) ← (actual_i, actual_j) 9 дen_cov ←
14 else if lenдth(дetInstances(X , attr 1, attr 2)) < дetRuleCoveraдe(rule.remove(attr Exp))
lenдth(дetInstances(X , actual_i, actual_j)) then 10 if not(PERMIT ∈ дen_cov) then
15 (maxProb, attr 1, attr 2) ← 11 rule ← rule.remove(attrExp)
(prob, actual_i, actual_j) 12 ruleset .add(rule)
16 return (attr 1, attr 2, maxProb)
13 coveraдe ← дetRuleCoveraдe(rule)
14 covered_instances ←
covered_instances ∪ coveraдe
enumerates all possible attribute-value pairs in the input dataset
15 return ruleset
and calculates conditional probability in case of each attribute-
value pair. The getUniqueValues function in line 3 returns the set of
distinct values from the input set. The conditional probability in
line 4 indicates the probability of occurrence of the given class (in rattr ∈ RATTR, and uattr and rattr have the same domain, that is,
this case, the class is PERMIT), given an attribute-value pair. If two dom(uattr) = dom(rattr). The conditional probability in line 6 (Al-
attribute-value pairs have the same probability, then the one with gorithm 3) indicates the probability of occurrence of PERMIT, given
higher coverage is selected (lines 7-11). The findAttrAttrPair func- an attribute-attribute pair.
tion is similar to the findAttrValPair function, except that, instead The findDenyRule function in Algorithm 4 mines a conflicting
of attribute-value pairs, the loop in findAttrAttrPair function enu- negative rule within a positive rule. The loop runs until all the
merates all possible pairs of uattr and rattr, where uattr ∈ UATTR, instances in the input dataset contain only DENY. Within this loop,

166
Session: Research Track - ABAC
the attribute expression yielding the highest conditional probability
for DENY is selected. Lines 7-9 ensure that the selected attribute
expression is added to the input rule only if the set of distinct
values contained in attribute attr equals the domain of attr. The
flag variable indicates whether any attribute expression was added
to the input rule. A subset of the input dataset is created comprising
of all instances containing the selected attribute expression. The
loop is then repeated on this subset, until it contains only instances
of DENY. At this point, a negative rule is created by taking the
conjunction of all selected attribute expressions in the loop. The
mined negative rule is indeed a conflicting negative rule if it covers
all DENY instances in the input dataset (lines 12-17).
After generating the initial ruleset from the access control log,
the policy mining algorithm generalizes the DENY rules in the rule-
set as specified in Algorithm 5. For every DENY rule in the ruleset,
we initially check if it is a subset of a generalized DENY rule, and
if it is, then it is removed from the ruleset. Otherwise, the DENY
rule is generalized by removing its components (attribute expres-
sions) one at a time. Each time a component is removed, we check
if the new DENY rule covers any PERMIT instances. If it does not,
then the redundant component is removed from the original DENY
rule. Finally, the generalized DENY rule is added to the ruleset. The
getRuleCoverage function returns the set of instances covered by a
rule in the access log.
4.2 Time Complexity
The time complexity of ABAC policy mining algorithm (Algo-
rithm 1) can be calculated as follows. Let n be the number of records
or instances and d be the number of attributes in the access log. The
outer loop runs as many times as the number of PERMIT instances
in the log. So, the running time of the outer loop is O(n).
The inner loop runs as many times as the total number of at-
tributes involved, including all the attribute expressions, within
a particular PERMIT rule. In the worst case, a PERMIT rule can be
formed by all attributes for attribute-value pairs and all combina-
tions of attributes for attribute-attribute pairs. Since a rule cannot
contain duplicate attribute expressions, total number of attributes
included in attribute-value pairs is d and that for attribute-attribute
pairs is of the order d 2 . So, the running time of inner while loop is
O(d 2 ).
Calculating the optimal attribute-value pair (line 7 in Algo-
rithm 1; Algorithm 2) takes O(nd) in the worst case when all the
attributes in the log contains n distinct values. Further, calculating
the optimal attribute-attribute pair (line 9 in Algorithm 1; Algo-
rithm 3) takes O(d 2 ) time. So, total time taken for calculating the
optimal attribute expression is O(nd).
Computing a conflicting DENY rule (line 20 in Algorithm 1; Algo-
rithm 4) takes total O(nd 3 ) time. This is because the while loop in
Algorithm 4 takes O(d 2 ) time in the worst case when a DENY rule
contains all attributes for attribute-value pairs and all combinations
of attributes for attribute-attribute pairs. Moreover, calculating the
optimal attribute expression (line 4 in Algorithm 4) takes O(nd)
time.
Generalizing the DENY rules (line 27 in Algorithm 1; Algorithm 5)
consumes a total of O(nd) time. This is because the loop in Algo-
rithm 5 runs for each attribute, within every DENY rule in the initial
167
SACMAT’18, June 13-15, 2018, Indianapolis, IN, USA
ruleset. Since rules represent instances of the access log, the number
of DENY rules in the initial ruleset is of the order n.
The total running time of our ABAC policy mining algorithm
is, therefore, O(n 2d 5 ). The time complexity of our policy mining
approach is much less than O(n 3 ), which is the worst case running
time of [26] (details in Section 7). Suppose, every attribute in the
log contains exactly two values in its domain, then total number of
instances in a complete log, n, is 2d . Besides, in a realistic application,
domain of attributes have more than two values. So, for large values
of d, d 5 << md (= n), where m ∈ {2, 3, 4, ...} depending on the
application.
5 GENERATING ACCESS LOGS
In this part, we discuss the algorithm used for generating the log,
in detail. The proposed algorithm can be used as a framework for
generating synthetic logs, which can be utilized for various analysis
purposes. For example, we use synthetic logs, generated from ABAC
policies, for evaluation of our policy mining approach, so that we
can have the ground truth while comparing the mined ABAC policy
with original ABAC policy.
Log generation is an important phase in our proposed approach,
because the log outputted from this phase serves as the input for
the ABAC policy mining algorithm. Our goal is to understand the
behavior of an underlying access control model. So we consider all
possible combinations of all possible users, resources and actions, in
short all possible scenarios of access requests, while generating the
log, to be able to interpret all possible operations of the underlying
access control model.
The log generation algorithm works as follows. Using the set of
user attributes and domain for each user attribute, all possible users
in the system are created by enumerating all possible combinations
of values for user attributes. Similarly, all possible resources in the
system are created using the set of resource attributes and domain
for each resource attribute. A unique identifier is allocated to each
user and resource. Then, using the complete set of users, resources
and actions in the system, all possible (user, resource, action) combi-
nations are determined, to enumerate all possible access requests
that can be created from the system. While generating the complete
set of access requests, each request is evaluated against the given
XACML policy to determine the access decision for that request, fol-
lowing which the access request and corresponding access decision
are written to a file.
Each record in the log indicates if a certain user can perform
certain action on a certain resource. In other words, each row in the
log contains the tuple (Au , Ar , Action, Decision), where Au and Ar
are, respectively, the set of requesting user and requested resource
attributes, Action is the requested action, and Decision ∈ {PERMIT,
DENY } is the access decision corresponding to that access request.
5.1 Determining domains for each attribute
A challenge that we encountered while generating the log was to
determine the domain for each user and resource attribute, because
based on this domain information, all possible combinations of
values for user and resource attributes can be created. In the con-
text of this paper, we assume four types of columns or attributes:
columns appearing only in the set of user attributes or resource
 Session: Research Track - ABAC
attributes (but not in both) referred to as usr-only attribute and res-
only attribute respectively, columns that appear in the intersection
of user and resource attribute sets referred as usr-res attributes, a
user column dependent on the resource identifier column called as
usr-foreign-key column, and a resource column dependent on the
user identifier column referred to as res-foreign-key attribute.
The basic algorithm for defining the domain for all attributes is
as follows:
Step 1: Determine the domain for all usr-only and res-only attributes.
Step 2: For every column c ∈ usr-res, repeat:
– First determine the domain of c.
– Then the domain of each uattr and rattr, where uattr ∩
rattr = c, is the same as the domain of c, that is, dom(uattr)
= dom(rattr) = dom(c).
Step 3: If the set of user attributes contains a column c ∈ usr-foreign-
key, then the domain of c, dom(c), is the set or subset of
resource identifiers, as required by c.
Step 4: If the set of resource attributes contains a column c ∈ res-
foreign-key, then the domain of c, dom(c), is the set or subset
of user identifiers, as required by c.
6 EVALUATION
We have implemented the proposed algorithms in Section 4 and
report our experimental evaluation in this section. As our evalua-
tion approach, rather than starting from an access log, we conduct
our experiments by generating an access log from an ABAC pol-
icy, and then mine policies based on the generated log. Such an
approach ensures that we have access to ground truth policies (i.e.,
original policies) with which we can compare the results of our
mining algorithm. We follow a systematic approach to generate a
comprehensive as well as minimal log as proposed in Section 5.
We compare the performance of our algorithm with the previ-
ously proposed algorithm by Xu and Stoller [26], which we refer
to as XSAM in the rest of this section. We should note that XSAM
is only capable of mining positive attribute-based access control
policies. Therefore, we conduct our experiments on both policies
that contain only positive rules, and policies that include positive
as well as conflicting negative rules.
6.1 Datasets
We perform our experiments on two policy datasets that we have
have adapted from [26] to include negative authorizations. The
university policy, University, authorizes accesses to applications,
gradebooks, rosters and transcripts, requested by students, faculties,
applicants and staff in registrar/admissions office. The project man-
agement policy, Project, controls accesses by accountant, auditor,
planner and manager to tasks, schedules and budgets associated
with projects.
In order to provide a fair assessment and comparison of our al-
gorithm versus XSAM, we use two different versions of University
and Project policies. Policies UniversityP and ProjectP contain
only postive authorization rules, while policies UniversityPN and
ProjectPN have both positive and negeative authorization rules.
We have included the policies in Appendix A.
168
SACMAT’18, June 13-15, 2018, Indianapolis, IN, USA
6.2 Implementation
Our log generation implementation works based on list of all possi-
ble user attributes and resource attributes along with the domain
for each attribute, list of all possible actions, and an ABAC pol-
icy written in XACML 3.0 [6] (Section 5). Each policy in XACML
comprises of a set of rules, where each rule consists of a sequence
of attribute expressions to determine which access requests the
rule applies to and a rule effect to determine the access decision in
case the rule is satisfied by an access request. Consistent with our
policy model, we use deny-overrides rule-combining algorithm for
XACML policies. The log generation algorithm is implemented in
Java (JDK 1.8). We use WSO2 Balana [25], an open-source XACML
implementation, to determine access decisions corresponding to
each access request for a given XACML policy. The policy mining
algorithm is written in Python (Python 3.5). We performed each
experiment 10 times and report the average time measurement
in our experiments. The experiments were performed on a 64-bit
Windows 10 machine having 12 GB RAM and Intel Core i7-6700HQ
processor.
Table 1 summarizes the access logs generated for university and
project management policies. We note that the same number of
access requests were generated regardless of positive-only vs. posi-
tive/negative policy versions. |attru | is the number of user attributes,
including the unique identifier attribute. Similarly, |attrr | is the num-
ber of resource attributes, including the identifier attribute. |U |, |R|
and |O| are, respectively, the total number of user, resources and
actions in the system. |log| is the total number of records in the
generated log, which is computed as |U | x |R| x |O|.
6.3 Experiments with Positive Authorizations
We first compare the performance of our policy mining algorithm
with XSAM [26] on policies consisting of only positive authoriza-
tions. This can provide an insight on how performances comapre
on solving a mining problem that both approaches should be able to
solve by design. We use the complete log as input to our algorithm,
and provide only the PERMIT instances as input to XSAM since it
works based on access control lists (ACLs).
The first four rows in Table 2 show the results of our algorithm
and XSAM on UniversityP and ProjectP policies. The table com-
pares approaches on the basis of quality, with respect to preciseness
and conciseness, of mined rules and total time taken for execution.
|ρor iд+ | and |ρor iд− | are the number of positive and negative rules
in the original ABAC policies, whereas |ρmined+ | and |ρmined− |
are the number of positive and negative rules in the mined ABAC
policies. Further, WSCorig and WSCmined are, respectively, the WSC
measure for original and mined policies. When calculating WSC
for the experiments, we consider all user-specified weights w i to be
equal to one. Finally, Run time is the total time, in seconds, taken for
mining ABAC policies from the given access control information.
As demonstrated in Table 2, both approaches, XSAM [26] and
our proposed work, perform exactly the same in terms of mining
concise rules that are syntactically and semantically similar to the
original policy. However, our approach outperforms XSAM in terms
of running time.
Session: Research Track - ABAC SACMAT’18, June 13-15, 2018, Indianapolis, IN, USA

Table 1: Details of the access logs created from original ABAC policies

Policy |attru | |U | |attrr | |R| |O| |log|

University 6 128 5 2048 9 2359296
Project 8 4608 6 72 7 2322432

Table 2: Comparison of our proposed algorithm with XSAM [26] for university and project management policies

Mining Alg. Policy |ρor iд+ | |ρor iд− | |ρmined+ | |ρmined− | WSCorig WSCmined Time (s)
XSAM UniversityP 5 - 5 - 19 19 1540
Proposed work UniversityP 5 - 5 - 19 19 936
XSAM ProjectP 11 - 11 - 49 48 1328
Proposed work ProjectP 11 - 11 - 49 48 896
XSAM ProjectPN 11 4 20 - 67 4324 1370
Proposed work ProjectPN 11 4 11 4 67 64 1032
XSAM* UniversityPN 11 3 -* -* 56 -* 7200+*
Proposed work UniversityPN 11 3 11 3 56 53 1123
* XSAM [26] did not terminate nor produced any output for the UniversityPN policy even after running for more than two hours.

6.4 Experiments with Positive and Negative 6.5.2 Comparison with XSAM. Our policy mining algorithm
Authorizations and the XSAM approach perform similar when only positive autho-
rization rules need to be mined. However, there is a significance
Our second set of experiments is on policies consisting of both
difference when both positive as well as negative authorization
positive and negative authorization rules. The last four rows in Ta-
rules are considered. More particularly, when experimenting on
ble 2 show the performance of the two approaches on ProjectPN
policies containing negative authorization, XSAM either does not
and UniversityPN policies. Our observations show that our ap-
terminate in reasonable time (after two hours for UniversityPN)
proach precisely mines concise positive and negative rules for both
or produces verbose positive rules containing identifier attributes
policies, whereas XSAM [26] computes verbose rules that are more
(which should be avoided for ABAC policies). In addition, our policy
identity-based rather than attribute-based. For example, in case of
mining approach always runs faster than that of XSAM.
ProjectPN, while our proposed algorithm mines total of 15 rules
Although it may be argued that XSAM considers negative in-
with WSC of 64, XSAM produces 20 rules with significantly large
stances implicitly (i.e., any access not permitted is denied), it fails
WSC (4332). Furthermore, in our experiments, XSAM was not able to
badly when considering both positive and negative rules as demon-
terminate and produce an output for UniversityPN even after run-
strated in our experiments. This is because the policies ProjectPN
ning for more than two hours. The result clearly demonstrate the
and UniversityPN are particularly hard to express using only posi-
need for mining negative authorization rules along with positive
tive rules, which emphasizes the need for explicitly mining negative
rules.
authorization rules along with positive authorization rules.

6.5 Discussion of Results 7 RELATED WORK

6.5.1 Overall Analysis. As shown in Table 2, our policy mining
algorithm precisely mines all the positive and negative rules from
the generated log. Although the input access control log contains
records belonging to both types of DENY spaces, the DENY space as
a result of negative authorization rules and the default DENY space,
our policy mining algorithm successfully mines all and only the
required DENY authorization rules.
Our manual observation of the mined rules showed that they
never reference any identity-based attributes like unique user iden-
tifier attribute and unique resource identifier attribute. Further, the
experiment results verified that the mined ABAC policy is equiv-
alent to the original ABAC policy. Moreover, the WSC of mined
policy is constantly less than or equal to the WSC of original policy,
i.e., (W SC)mined ≤ (W SC)original . This manifests that our algorithm
mines policies that are at least as concise as the original policies,
while maintaining the semantic meaning of the original policies.
One of the areas in policy mining that received great research inter-
est was role mining. The problem of role mining is to determine an
optimal set of roles R from the user-permission assignments (UPA)
for obtaining RBAC configuration that is equivalent to the given
user-permission assignments, that is, decomposing the given UPA
into User-role Assignments (UA) and role-Permission Assignments
(PA) [18]. Vaidya at al. defined the Basic-RMP problem for finding
a minimal set of roles from the given UPA [23]. Edge-RMP, a vari-
ant of Basic-RMP, aims to minimize, along with number of roles,
|UA|+|PA| [14, 24]. |S| denotes the cardinality of a set S. Furthermore,
Colantonio et al. presented a cost-based metric for mining optimal
set of roles [5]. Another metric , proposed by Molloy et al., called
Weighted Structural Complexity (WSC) [19], is the weighted sum
of the number of elements in R, UA, PA and other components of
an RBAC system. The aim of WSC optimization problem is to find
an RBAC configuration, consistent with the given UPA, such that

169
Session: Research Track - ABAC
WSC of the mined RBAC policy is minimized. Consistent with [26],
we adopt the notion of WSC for measuring the complexity of mined
ABAC policies.
The limitation of RBAC policy mining is that, for obtaining RBAC
configuration from the given User Permission Assignments, role
mining problems consider only the positive authorizations, in terms
of what permissions are assigned to users, based on their roles. Our
ABAC mining approach on the other hand, considers both positive
and negative authorizations while obtaining ABAC policy.
Xu and Stoller were the first to introduce the concept of ABAC
policy mining [26]. The motivation behind the idea of ABAC min-
ing is to ease the burden of migration to ABAC framework from
an existing access control paradigm, by partially automating the
process of migration. At a high level, their policy mining algorithm
works as follows. Initially, they generate an Access Control List
(ACL), which they refer as the User Permission Relation, from an
ABAC policy and attribute data. Then their policy mining algo-
rithm, while iterating over the tuples in the given User Permission
Relation, select a user permission tuple that is used as the seed for
creating a candidate rule. This candidate rule is then generalized
by replacing conjuncts in attribute expressions with constraints.
The goal of their generalization process is to increase the coverage
of the rule in terms of the additional tuples that can be covered
by the rule in the User Permission Relation. The set of candidate
rules, which altogether cover the entire ACL, is then optimized
by removing redundant rules and merging pairs of rules. A rule
is redundant if it covers instances in the User Permission Relation
already covered by some other rule. Two different rules, having the
same constraints, are merged by taking the union of conjuncts, in
those rules, for every attribute. However, their algorithm does not
deal with negative authorizations. Moreover the ABAC policy min-
ing algorithm presented in [26] is very heuristic and complicated to
interpret. Importantly, their running time is cubic in the size of the
ACL, whereas the time complexity of our ABAC mining approach
is much less than cubic time as explained in detail in Section 4.2.
Recently, Medvet et al. [17] proposed an evolutionary, separate
and conquer approach for mining ABAC policies, using the same
policy language and case studies as in [26]. In their work, a new rule
is generated and the set of access requests decreases to a smaller size
during each iteration. Similar to Xu and Stoller [26] and unlike our
proposed approach, their work is not capable of mining negative
authorization rules. Moreover, there is not much difference in terms
of performance compared to [26]. Therefore, we only compare our
performance against [26].
Our policy mining algorithm is closely related to the PRISM
rule mining algorithm [4] by Cendrowsk. PRISM is an established
data mining algorithm for inducing rules corresponding to a given
dataset. It serves as a solution for the traditional data mining clas-
sification problem. Given a training dataset, containing different
classifications, PRISM outputs a set of modular rules, where each
rule contains combination of attribute-value pairs for arriving at a
particular classification. To yield a set of disjunctive rules, PRISM
uses an induction strategy for finding the attribute-value that deliv-
ers the most information about a particular classification. In other
words, when determining a rule for a particular classification δ n ,
PRISM finds the attribute-value pair α x that gives the highest con-
ditional probability for the classification δ n , that is, PRISM selects
170
SACMAT’18, June 13-15, 2018, Indianapolis, IN, USA
the α x for which the probability of occurrence of the classifica-
tion δ n , given the attribute-value pair α x , is maximum. However,
the limitation of PRISM in the context of this paper is that, for a
particular rule, PRISM tends to find only attribute-value pairs, but
not attribute-attribute pairs. As a result, when PRISM is run on
the access control log, which serves as a suitable training dataset
comprising of two classifications PERMIT and DENY, PRISM creates
rules containing the identifier attributes like the unique user iden-
tifier attribute and unique resource identifier attribute. As a result,
the output is verbose since it contains large number of rules. Our
policy mining algorithm, although based on PRISM, overcomes this
drawback by also considering attribute-attribute pairs, along with
attribute-value pairs, while constructing a rule for PERMIT or DENY.
8 DISCUSSIONS AND CONCLUSIONS
In this paper, we proposed an algorithm for mining ABAC policies
capable of discovering both positive and negative authorization
rules simultaneously. While previous approaches in access control
policy mining literature had focused on positive-only authorization
rules (including more recent work on ABAC mining [26]), our work
significantly contributes to the area by discovering negative autho-
rization rules as well. We evaluated our policy mining algorithm on
logs generated from two synthetic but realistic policies. Our obser-
vations from experiments show that the mined rules never reference
identity-based attributes like user identifier and resource identifier
attributes. Also, the results demonstrate that the mined rules are
equivalent to the original ABAC policy, and that the mined policies
are concise compared to them. Furthermore, we demonstrated that
our approach outperforms previous ABAC mining algorithm [26]
through the experiments and theoretical analysis.
Our mining algorithm attempts to mine positive and negative
rules simultaneously. An alternative strategy would be to mine all
possible positive rules first and then combine rules in a way to
resolve in more general set of positive and negative rules. However,
such an alternative strategy will lead to many granular positive rules
which then need to be considered for generalization. Combining
granular rules is a complex problem itself to solve optimally. We
note that the previous ABAC mining approach [26] followed such
an strategy (for positive rules only). But it relied on heuristics for
generalization (by considering only pairs of rules). A main objective
of design of our mining approach was to avoid such heuristic, sub-
optimal strategies.
The proposed mining algorithm is feasible to be employed in
practice based on our experimental results and theoretical analysis.
Running time of the algorithm was in the order of a few minutes
for the synthetic policies. Theoretically, the time complexity of our
policy mining algorithm depends on size of complete log, which is
exponential to number of attributes. While we acknowledge this
limitation, we note that it is applicable to any log mining algorithm
that aims to avoid false positives/negatives. Moreover, we note that
policy mining is inherently an offline and less time-sensitive task.
As future work, we plan to extend our approach to incorporate
other ABAC features such as support for numerical data and other
relational operators such as subset in attribute expressions. We
will also explore algorithmic improvements, and more extensive
quantitative analysis based on policies of different sizes.
Session: Research Track - ABAC SACMAT’18, June 13-15, 2018, Indianapolis, IN, USA

ACKNOWLEDGEMENTS [15] A. Lunardelli, I. Matteucci, P. Mori, and M. Petrocchi. A proto-

We would like to thank the anonymous reviewers for their valuable type for solving conflicts in XACML-based e-Health policies.
comments and helpful suggestions that guided us in improving the In Proceedings of the 26th IEEE International Symposium on
final manuscript. Computer-Based Medical Systems, pages 449–452, June 2013.
[16] M. St-Martin and A. P. Felty. A Verified Algorithm for Detect-
REFERENCES ing Conflicts in XACML Access Control Rules. In Proceedings
of the 5th ACM SIGPLAN Conference on Certified Programs
[1] Apache Tutorials - Apache HTTP Server. url: https://httpd.
and Proofs, CPP 2016, pages 166–175, New York, NY, USA.
apache.org/docs/2.0/misc/tutorials.html.
ACM, 2016.
[2] E. Bertino, P. Samarati, and S. Jajodia. An extended autho-
[17] E. Medvet, A. Bartoli, B. Carminati, and E. Ferrari. Evolu-
rization model for relational databases. IEEE Transactions
tionary inference of attribute-based access control policies.
on Knowledge and Data Engineering, 9(1):85–101, Jan. 1997.
In International Conference on Evolutionary Multi-Criterion
issn: 1041-4347.
Optimization, pages 351–365. Springer, 2015.
[3] E. Bertino, S. Jajodia, and P. Samarati. A Flexible Authoriza-
[18] B. Mitra, S. Sural, J. Vaidya, and V. Atluri. A Survey of Role
tion Mechanism for Relational Data Management Systems.
Mining. ACM Comput. Surv., 48(4):50:1–50:37, Feb. 2016. issn:
ACM Trans. Inf. Syst., 17(2):101–140, Apr. 1999. issn: 1046-
0360-0300.
8188.
[19] I. Molloy, N. Li, Y. A. Qi, J. Lobo, and L. Dickens. Mining Roles
[4] J. Cendrowska. PRISM: An algorithm for inducing mod-
with Noisy Data. In Proceedings of the 15th ACM Symposium
ular rules. International Journal of Man-Machine Studies,
on Access Control Models and Technologies, SACMAT ’10,
27(4):349–370, Oct. 1, 1987. issn: 0020-7373.
pages 45–54, New York, NY, USA. ACM, 2010.
[5] A. Colantonio, R. Di Pietro, and A. Ocello. A Cost-driven
[20] R. S. Sandhu and P. Samarati. Access Control: Principles and
Approach to Role Engineering. In Proceedings of the 2008
Practice. IEEE Communications Magazine, 32(9):40–48, 1994.
ACM Symposium on Applied Computing, SAC ’08, pages 2129–
[21] M. Satyanarayanan. Integrating Security in a Large Dis-
2136, New York, NY, USA. ACM, 2008.
tributed System. ACM Trans. Comput. Syst., 7(3):247–280,
[6] eXtensible Access Control Markup Language (XACML) Ver-
Aug. 1989. issn: 0734-2071.
sion 3.0. url: http://docs.oasis-open.org/xacml/3.0/xacml-
[22] D. Servos and S. L. Osborn. HGABAC: Towards a Formal
3.0-core-spec-os-en.html.
Model of Hierarchical Attribute-Based Access Control. In
[7] D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R.
International Symposium on Foundations and Practice of Se-
Chandramouli. Proposed NIST standard for role-based ac-
curity, LNCS, pages 187–204. Springer, Cham, Nov. 3, 2014.
cess control. ACM Transactions on Information and System
[23] J. Vaidya, V. Atluri, and Q. Guo. The Role Mining Problem: A
Security, 4(3):224–274, 2001.
Formal Perspective. ACM Trans. Inf. Syst. Secur., 13(3):27:1–
[8] E. Ferrari. Access Control in Data Management Systems.
27:31, July 2010. issn: 1094-9224.
Synthesis Lectures on Data Management, 2(1):1–117, Jan. 1,
[24] J. Vaidya, V. Atluri, Q. Guo, and H. Lu. Edge-RMP: Minimiz-
2010. issn: 2153-5418.
ing administrative assignments for role-based access control.
[9] N. Gal-Oz, E. Gudes, and E. Fernández. A Model of Methods
Journal of Computer Security, 17(2):211–235, Jan. 1, 2009. issn:
Access Authorization in Object-oriented Databases. In Proc
0926-227X.
VLDB, pages 52–61, Jan. 1, 1993.
[25] WSO2 Balana. url: https://github.com/wso2/balana.
[10] V. C. Hu, D. Ferraiolo, R. Kuhn, A. R. Friedman, A. J. Lang,
[26] Z. Xu and S. D. Stoller. Mining Attribute-Based Access Con-
M. M. Cogdell, A. Schnitzer, K. Sandlin, R. Miller, and K.
trol Policies. IEEE Transactions on Dependable and Secure
Scarfone. Guide to attribute based access control (abac) def-
Computing, 12(5):533–545, Sept. 2015. issn: 1545-5971.
inition and considerations (draft). NIST special publication,
[27] Z. Xu and S. D. Stoller. Mining Attribute-Based Access Con-
800(162), 2013.
trol Policies from Logs. In IFIP Annual Conference on Data
[11] F. Huonder. Conflict Detection and Resolution of XACML
and Applications Security and Privacy, LNCS, pages 276–291.
Policies. Master’s thesis, University of Applied Sciences Rap-
Springer, Berlin, Heidelberg, July 14, 2014.
perswil, 2010.
[28] X. Zhang, Y. Li, and D. Nalla. An Attribute-based Access
[12] X. Jin, R. Krishnan, and R. Sandhu. A Unified Attribute-Based
Matrix Model. In Proceedings of the 2005 ACM Symposium on
Access Control Model Covering DAC, MAC and RBAC. In
Applied Computing, SAC ’05, pages 359–363, New York, NY,
IFIP Annual Conference on Data and Applications Security and
USA. ACM, 2005.
Privacy, LNCS, pages 41–55. Springer, Berlin, Heidelberg,
July 11, 2012.
A POLICY DATASETS
[13] M. A. Al-Kahtani and R. Sandhu. Rule-based RBAC with
negative authorization. In 20th Annual Computer Security In the following tables, we list the rules in the policies that we
Applications Conference, pages 405–415, Dec. 2004. used in the experiments. Table 3 lists the rules in the ProjectP
[14] H. Lu, J. Vaidya, and V. Atluri. Optimal Boolean Matrix De- policy. In addition to those rules, the ProjectPN policy includes
composition: Application to Role Engineering. In 2008 IEEE the DENY rules listed in Table 4. Tables 5 and 6 show the rules in
24th International Conference on Data Engineering, pages 297– the UniversityP and UniversityPN policies, respectively.
306, Apr. 2008.

171
Session: Research Track - ABAC SACMAT’18, June 13-15, 2018, Indianapolis, IN, USA

• ⟨u .adminRol e = manaдer ; r .type = budдet ; u .depar tment = r .depar tment ; act ion = r ead, PERMIT ⟩
• ⟨u .adminRol e = manaдer ; r .type = budдet ; u .depar tment = r .depar tment ; act ion = appr ove, PERMIT ⟩
• ⟨r .type = schedul e; u .pr oject Led = r .pr oject ; act ion = r ead, PERMIT ⟩
• ⟨r .type = budдet ; u .pr oject Led = r .pr oject ; act ion = r ead, PERMIT ⟩
• ⟨r .type = schedul e; u .pr oject Led = r .pr oject ; act ion = wr it e, PERMIT ⟩
• ⟨r .type = budдet ; u .pr oject Led = r .pr oject ; act ion = wr it e, PERMIT ⟩
• ⟨r .type = schedul e; u .pr oject = r .pr oject ; act ion = r ead, PERMIT ⟩
• ⟨r .type = t ask ; u .t ask = r .r id; act ion = set St atus, PERMIT ⟩
• ⟨r .type = t ask ; r .pr opr iet ary = f al se; u .pr oject = r .pr oject ; u .exper t ise = r .exper t ise; act ion = r ead, PERMIT ⟩
• ⟨r .type = t ask ; r .pr opr iet ary = f al se; u .pr oject = r .pr oject ; u .exper t ise = r .exper t ise; act ion = r equest, PERMIT ⟩
• ⟨u .is Employee = t r ue; r .type = t ask; u .pr oject = r .pr oject ; u .exper t ise = r .exper t ise; act ion = r ead, PERMIT ⟩
• ⟨u .is Employee = t r ue; r .type = t ask; u .pr oject = r .pr oject ; u .exper t ise = r .exper t ise; act ion = r equest, PERMIT ⟩
• ⟨u .adminRol e = audit or ; r .type = budдet ; u .pr oject = r .pr oject ; act ion = r ead, PERMIT ⟩
• ⟨u .adminRol e = account ant ; r .type = budдet ; u .pr oject = r .pr oject ; act ion = r ead, PERMIT ⟩
• ⟨u .adminRol e = account ant ; r .type = budдet ; u .pr oject = r .pr oject ; act ion = wr it e, PERMIT ⟩
• ⟨u .adminRol e = account ant ; r .type = t ask; u .pr oject = r .pr oject ; act ion = setCost, PERMIT ⟩
• ⟨u .adminRol e = pl anner ; r .type = schedul e; u .pr oject = r .pr oject ; act ion = wr it e, PERMIT ⟩
• ⟨u .adminRol e = pl anner ; r .type = t ask; u .pr oject = r .pr oject ; act ion = set Schedul e, PERMIT ⟩
Table 3: ProjectP policy rules

• ⟨u .adminRol e = manaдer ; u .depar tment = dept 2; r .type = budдet ; act ion = r ead, DENY ⟩
• ⟨u .adminRol e = manaдer ; r .type = budдet ; r .pr oject = pr oj21; act ion = appr ove, DENY ⟩
• ⟨u .adminRol e = pl anner ; u .depar tment = dept 3; u .exper t ise = t est inд; r .type = schedul e; act ion = r ead, DENY ⟩
• ⟨r .type = t ask; r .depar tment = dept 2, DENY ⟩
Table 4: DENY rules in ProjectPN policy. PERMIT rules are the same as in ProjectP (Table 3)

• ⟨r .type = дr adebook; u .cour seT aken = r .cour se; act ion = r eadScor e, PERMIT ⟩
• ⟨r .type = дr adebook; u .cour seT auдht = r .cour se; act ion = r eadScor e, PERMIT ⟩
• ⟨u .posit ion = f acul ty; r .type = дr adebook; u .cour seT auдht = r .cour se; act ion = assiдnGr ade, PERMIT ⟩
• ⟨u .posit ion = student ; r .type = t r anscr ipt ; u .uid = r .student ; act ion = r eadT r anscr ipt, PERMIT ⟩
• ⟨u .posit ion = f acul ty; u .isChair = t r ue; r .type = t r anscr ipt ; u .depar tment = r .depar tment ; act ion = r eadT r anscr ipt, PERMIT ⟩
Table 5: UniversityP policy rules

• ⟨r .type = дr adebook; u .cour seT aken = r .cour se; act ion = r ead MyScor es, PERMIT ⟩
• ⟨r .type = дr adebook; u .cour seT auдht = r .cour se; act ion = addScor e, PERMIT ⟩
• ⟨r .type = дr adebook; u .cour seT auдht = r .cour se; act ion = r eadScor e, PERMIT ⟩
• ⟨u .posit ion = f acul ty; r .type = дr adebook; u .cour seT auдht = r .cour se; act ion = chanдeScor e, PERMIT ⟩
• ⟨u .posit ion = f acul ty; r .type = дr adebook; u .cour seT auдht = r .cour se; act ion = assiдnGr ade, PERMIT ⟩
• ⟨u .isChair = t r ue; r .type = дr adebook; u .depar tment = r .depar tment ; act ion = r eadScor e, PERMIT ⟩
• ⟨r .type = дr adebook; u .cour seT aken = r .cour se; act ion = addScor e, DENY ⟩
• ⟨r .type = дr adebook; u .cour seT aken = r .cour se; act ion = r eadScor e, DENY ⟩
• ⟨r .type = дr adebook; u .cour seT aken = r .cour se; act ion = chanдeScor e, DENY ⟩
• ⟨r .type = дr adebook; u .cour seT aken = r .cour se; act ion = assiдnGr ade, DENY ⟩
• ⟨u .depar tment = r eдist r ar ; r .type = r ost er ; act ion = r ead, PERMIT ⟩
• ⟨u .depar tment = r eдist r ar ; r .type = r ost er ; act ion = wr it e, PERMIT ⟩
• ⟨u .posit ion = f acul ty; r .type = r ost er ; u .cour seT auдht = r .cour se; act ion = r ead, PERMIT ⟩
• ⟨r .type = t r anscr ipt ; u .uid = r .student ; act ion = r ead, PERMIT ⟩
• ⟨u .posit ion = student ; u .depar tment = dept 1; r .type = t r anscr ipt ; act ion = r ead, DENY ⟩
• ⟨u .isChair = t r ue; r .type = t r anscr ipt ; u .depar tment = r .depar tment ; act ion = r ead, PERMIT ⟩
• ⟨u .depar tment = r eдist r ar ; r .type = t r anscr ipt ; act ion = r ead, PERMIT ⟩
• ⟨r .type = appl icat ion; u .uid = r .student ; act ion = checkSt atus, PERMIT ⟩
• ⟨u .depar tment = admissions; r .type = appl icat ion; act ion = r ead, PERMIT ⟩
• ⟨u .depar tment = admissions; r .type = appl icat ion; act ion = set St atus, PERMIT ⟩
• ⟨u .depar tment = admissions; r .type = appl icat ion; r .depar tment = dept 2; act ion = r ead, DENY ⟩
• ⟨u .depar tment = admissions; r .type = appl icat ion; r .depar tment = dept 2; act ion = set St atus, DENY ⟩
Table 6: UniversityPN policy rules

172