Recently, attribute-based access control (ABAC) has received increasingly more attention and has emerged as the desired access control mechanism for many organizations because of its flexibility and scalability for authorization management, as well as its security policies, such as separation-of-duty constraints and mutually exclusive constraints. Policy-engineering technology is an effective approach for the construction of ABAC systems. However, most conventional methods lack interpretability, and their constructing processes are complex. Furthermore, they do not consider the separation-of-duty constraints. To address these issues in ABAC, this paper proposes a novel method called policy engineering optimization with visual representation and separation of duty constraints (PEO_VR&SOD). First, to enhance interpretability while mining a minimal set of rules, we use the visual technique with Hamming distance to reduce the policy mining scale and present a policy mining algorithm. Second, to verify whether the separation of duty constraints can be satisfied in a constructed policy engineering system, we use the method of SAT-based model counting to reduce the constraints and construct mutually exclusive constraints to implicitly enforce the given separation of duty constraints. The experiments demonstrate the efficiency and effectiveness of the proposed method and show encouraging results.
This is an open access article distributed under the Creative Commons Attribution License
which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited