Feasibility Analysis of Access Control Policy Mining
Access control enforces who can access what inside a system, allowing only legitimate users to get legitimate access to resources inside the system. To clarify, access control governs resource access based on a variety of criteria, such as user credential verification, environmental conditions, resource characteristics, and so on. To keep up with the fast changing requirements, new "robust and resilient" models in the access control domain are being developed to keep pace with the expanding complexity and innovation of technology, such as ABAC (Attribute-Based Access Control), ReBAC (Relationship-Based Access Control), AReBAC (Attribute-aware ReBAC), etc. When a system is already protected by an established access control model, the "policy mining problem" refers to the process of automating or at least partially automating the conversion to another model. To migrate to another target access control system, policy mining generally requires the existing source access control model and additional information. Policy mining tasks are frequently guided by a set of assumptions, such as the target access control system must have the identical set of users, resources and authorizations. Our investigation begins in pursuit of the feasibility of access control policy mining under specific assumptions, which is essentially an in-depth examination of various types of policy mining issues. This dissertation investigates feasibility analysis of access control policy mining for variety of source and target access control models, develops algorithms to find the feasibility, resolves the cases of infeasibility, and demonstrates effectiveness of the developed approaches through mathematical proofs and implementation. The first step towards feasibility analysis begins with ABAC policy mining, where the source access control system was Enumerated Authorization System (EAS). Using the limitations of the state-of-the-art ABAC policy mining approaches, it first develops the concept of feasibility in ABAC policy mining, formally named as ABAC RuleSet Existence Problem. Furthermore, the concept of feasibility in ABAC policy mining was extended while source access control model is Role Based Access Control (RBAC) system as well. Besides, for both cases, infeasibility solution algorithms are proposed and unrepresented partition problem is also discussed. Feasibility of ReBAC policy mining was explored in the second step. Similar to the first step, feasibility problem in ReBAC policy mining is defined and formulated as ReBAC RuleSet Existence Problem. In addition, different versions of ReBAC RuleSet Existence Problem are introduced. Infeasibility solution, and significant directions for future enhancement are noted. Significant example cases are included to demonstrate the effectiveness of the proposed approach. Although feasibility analysis of ABAC and ReBAC policy mining provide an insightful study, however, the combination of both, Attribute-aware ReBAC increases the expressiveness and flexibility. Attribute-aware ReBAC RuleSet Existence Problem is introduced in this context, analyzed and feasibility as well as infeasibility algorithms are provided with associated proofs. One important contribution here is: the notion of approximate solutions in the case of infeasibility is briefly mentioned. Later, significant example cases are discussed with future directions. As the final step, this dissertation introduces a novel concept of extending the concept the feasibility analysis of ABAC and ReBAC policy mining, formally named as Extended ABAC and ReBAC RuleSet Existence Problem, EAREP and ERREP in short, respectively. Initially, the motivation and objective of defining these problems are demonstrated with example. Later, infeasibility solution and associated pros and cons are discussed briefly. Finally, the dissertation work is concluded with significant directions for future extensions.