Policy-Engineering Optimization with Visual Representation and Separation-of-Duty Constraints in Attribute-Based Access Control

Abstract

Recently, attribute-based access control (ABAC) has received increasingly more attention and has emerged as the desired access control mechanism for many organizations because of its flexibility and scalability for authorization management, as well as its security policies, such as separation-of-duty constraints and mutually exclusive constraints. Policy-engineering technology is an effective approach for the construction of ABAC systems. However, most conventional methods lack interpretability, and their constructing processes are complex. Furthermore, they do not consider the separation-of-duty constraints. To address these issues in ABAC, this paper proposes a novel method called policy engineering optimization with visual representation and separation of duty constraints (PEO_VR&SOD). First, to enhance interpretability while mining a minimal set of rules, we use the visual technique with Hamming distance to reduce the policy mining scale and present a policy mining algorithm. Second, to verify whether the separation of duty constraints can be satisfied in a constructed policy engineering system, we use the method of SAT-based model counting to reduce the constraints and construct mutually exclusive constraints to implicitly enforce the given separation of duty constraints. The experiments demonstrate the efficiency and effectiveness of the proposed method and show encouraging results.

1. Introduction

With the rapid development and comprehensive application of network information technology, there is a large amount of storage required and many exchanges in large-scale and complex information-management systems [1]. Organizations adopt access control mechanisms to ensure the system security, and the role-based access control (RBAC) mechanism has been the main standard for most organizations over the last three decades. However, there is only one role attribute in RBAC systems on which users and objects can depend. The RBAC mechanism is identity-dependent and lacks flexibility, particularly in large-scale collaborative environments. As an alternative, attribute-based access control (ABAC) has been developed recently. In ABAC, a request for accessing any resource is permitted or denied based on the attributes assigned to the requesting user, the attributes assigned to the requested object, the environment condition where the request is made, and an authorization policy [2]. An ABAC policy is a set of authorization rules that includes various combinations of attribute-value pairs of users, objects, and environments, as well as operating privileges. If a user makes a request to access an object, an authorization rule to satisfy the access request is sought. Its flexibility, scalability, and identity-less properties overcome the limitations of RBAC, and make ABAC very attractive for use in collaborative systems like cloud computing and the internet of things [3]. For the successful implementations of ABAC mechanisms in commercial organizations, the identification of a suitable set of authorization rules and the construction of a good ABAC system are critical tasks. This process, known as policy engineering [4,5], is regarded as one of the most difficult and costliest components for implementing the ABAC mechanism. Similar to role engineering in RBAC, there are also two main approaches for constructing policy-engineering systems: top-down [6] and bottom-up [7,8,9]. For the former, rules are specified by precisely evaluating and splitting the business processes into smaller independent units that are then associated with access permissions. However, this approach can ignore the existing access modes in the organization and is also time-consuming, labor-intensive, and error prone. For the latter, rules are derived from existing access permissions, and the architectural structure of ABAC can be automatically constructed. The bottom-up approach, also called policy mining, has gained much interest and considerable popularity in the last few years.

The policy-mining problem in ABAC involves discovering a suitable ABAC policy from a traditional access control mode, such that the access authorizations covered by the policy are consistent with the traditional access permissions. Xu and Stoller [10] first proposed a well-known bottom-up mining approach (simply represented as Xu-Stoller) and derived an ABAC policy from access control lists and the corresponding attribute data. Das et al. [11] considered that the policy-engineering problem in ABAC and the role-engineering problem in RBAC are similar and equally important for the construction of the corresponding access control models and presented a detailed survey of the two techniques. Actually, to enhance the interpretability of policy mining, it is necessary to cluster users, objects, or environments with the same attribute properties, similar to the clustering of users or permissions in the role-mining problem. However, due to the diversity of the attribute properties of entities and the variability of accesses, the mining scale is large and complex using conventional policy-mining methods.

A key characteristic of ABAC is that it allows the specification and enforcement of various types of constraints, such as the separation-of-duty (SOD) constraints, cardinality constraints, binding-of-duty (BOD) constraints, and user-capability (UC) constraints, which are irrelevant to the access control mechanism implemented in the system and can reflect the different security requirements of organizations and ensure the security of ABAC systems [12]. As a significant security policy discussed in this paper, the SOD constraint prevents an individual from performing all the steps involved in an important task, as a single user is more likely to abuse his or her privileges, while multiple users can supervise with each other while performing a task. Typically, a k-n SOD constraint requires that at least k users complete a special task that requires n-many operating permissions [13] and has been widely used in the banking industry and in military systems. However, none of the conventional policy-engineering methods consider the SOD constraint. Moreover, although mutually exclusive authorization rules (MEAR) constraints have been used to enforce a given separation of authorization rules (SOAR) constraint in an existing ABAC system [13], a SOAR constraint takes the form of authorization rules as its input, while an SOD constraint takes the form of access tuples. Therefore, it is necessary to convert the access tuples into authorization rules to facilitate the enforcement of the SOD constraints, which is also an interesting issue.

To address the above issues, this paper proposes a novel method called policy-engineering optimization with visual representation and separation-of-duty constraints (PEO_VR&SOD). In summary, the main contributions of this work are as follows:

(1)

To reduce the mining scale and enhance the interpretability of policy mining, we use the visual technique with Hamming distance to rearrange, portray, and partition an original authorization matrix and discover a minimal set of authorization rules from rearranged submatrices. We present a policy mining algorithm and compare its performance to the existing methods.

(2)

To verify whether SOD constraints can be satisfied in a constructed policy engineering system, we convert the SOD constraints into SOAR constraints using the method of SAT-based model counting. We construct MEAR constraints from the SOAR constraints to implicitly enforce the given SOD constraints and evaluate the performance of the PEO_VR&SOD.

The rest of the paper is organized as follows. We discuss the related work in Section 2 and present some preliminaries that are discussed in the following sections in Section 3. Section 4 proposes a novel method for policy engineering optimization, which involves two aspects: (1) policy mining with visual representation and (2) policy optimization with separation of duty constraints. We present experimental evaluations and compare their performance with existing studies in Section 5. Section 6 concludes the paper and discusses future work.

2. Related Work

2.1. Research on Policy Engineering in ABAC

Various methods have been proposed for ABAC policy engineering. Depending on whether minimizing the number of mining rules is considered an optimized objective, existing studies mainly fall into the following two categories: general policy engineering and optimized policy engineering.

To avoid the potential risks of permitting unauthorized accesses, Krautsevich et al. [14] presented a risk based ABAC policy engineering problem that assessed the potential risk for each possible access while minimizing the total risk in the ABAC system. Biswas et al. [15] proposed a label based ABAC model using the method of enumeration for the construction of ABAC policies, each of which included only one user attribute and one object attribute. Narouei et al. [6] proposed a top-down ABAC policy engineering framework using a deep recurrent neural network, which derived authorization rules from unrestricted natural language documents. Iyer et al. [16] presented a novel method for ABAC policy mining to construct positive and negative authorization rules. Das et al. [17] proposed a hybrid approach for policy engineering in ABAC, which first used a top-down approach and then used a bottom-up approach to construct authorization rules. Although existing approaches are capable of constructing ABAC policies, the number of attribute-value pairs in any constructed rule is also critical. The time needed for access decisions increases with an increasing number of attribute-value pairs included in any rule. To improve the efficiency of the mining process, Gautam et al. [18] regarded the number of attributes included in any rule as a weight and presented a constrained policy mining algorithm in ABAC that constructed a set of authorization rules from an access control matrix, such that the weight of each rule was less than a specified value, and the sum of the total weights of the rules was minimized.

To discover an optimal set of ABAC rules from conventional access modes, Das et al. [19] presented an ABAC policy mining algorithm that included environmental attributes that used the Gini impurity to form an ABAC policy while minimizing the number of rules. Talukdar et al. [20] showed that the policy-mining problem is equivalent to identifying a set of functional dependencies in relational databases. The authors first proposed an ABAC policy mining algorithm called ABAC-FDM. Although this algorithm identified all the potential rules, the complexity of the algorithm was exponential. As an alternative, the authors next proposed another more efficient mining algorithm called ABAC-SRM, which discovered a suitable and minimal set of rules from candidate rules. To obtain a minimal set of ABAC rules in multi-cloud collaborations, John et al. [21] defined a cross-domain rule-mining problem called CDRMP that was proven to be NP hard and provided a heuristic solution. They also defined a cross-domain rule-mining problem with access relaxations under dynamic collaborations [22] called β-CDRMP and DCDRMP and presented the heuristic solutions for mining minimal sets of authorization rules. Besides mining positive rules in the cross domain, John et al. [23] considered the mining of negative rules from a given set of multi-cloud access requests, thereby defining a novel problem called CDRMP-H, and presented a solution to further reduce the number of mining rules, including the positive and the negative.

2.2. Research on Constraints in ABAC

Various studies have focused on specifying constraints in ABAC systems. Jin et al. [24] proposed a unified model called ABACα that could configure three classical models. They also presented a policy specification language that specified constraints on attribute-assignment relationships. Bijon et al. [25] proposed an attribute-based constraint specification language (ABCL) for specifying a variety of constraints. The ABCL was used to specify constraints on a single attribute or on multiple attributes of a particular entity. Although the constraints in ABACα were event-dependent, the constraints in ABCL were uniformly enforced no matter which attribute assignment was changed. Helil et al. [26] first examined the potential relationships between subjects and objects and then proposed an attribute-based access control constraint based on subject similarity. Jha et al. [27] presented a specification and verification of the SoD constraints in ABAC systems, analyzed the complexity of enforcing the SOD constraints and proposed an approach for solving them. Roy et al. [12] presented an employee replacement problem (ERP) in ABAC, in which the SOD constraints, BOD constraints, and UC constraints were simultaneously taken into consideration. The authors also provided a solution for verifying whether a particular subset of users in an ABAC system could be replaced with a smaller set of users while satisfying different types of constraints. Additionally, Alohaly et al. [28] proposed an automated framework to extract the ABAC constraints from natural language policies.

2.3. Research on Visual Representation for Access Information

Several techniques have been proposed for the visual representation of access information in a matrix form. To reduce the complexity of role-mining problems, Colantonio et al. [29] divided the user-permission-assignment dataset into several subsets and proposed a visual method for role mining. To reduce the mining scale, Verde et al. [30] converted role mining into a clustering problem, which compressed the division into a single sample, visually extracted similar features from multiple divisions, and ensured the integrity of the mining results. To facilitate the visual elucidation of access control matrices, Das et al. [31] introduced a novel method called visual mining of ABAC polices (VisMAP), which derived rules from the visual representation for a given authorization matrix while minimizing the number of rules. To enhance interpretability of the role-mining process, a novel method for role optimization is proposed in our work [1], which uses partitioning and compressing technologies to validate the accuracy of the method. Zheng et al. [32] provided a concrete example to visually specify ABAC rules and proposed a novel approach for detecting conflicts by transforming rules into a set of binary sequences.

2.4. Characteristics of Our Work

Two main limitations are apparent in the existing studies. The first limitation is that the policy mining scale is very large, and the mining process itself is confusing, complex, and lacks interpretability. The second limitation is that most existing policy engineering methods do not consider the SOD constraints, though various studies on different types of constraints in ABAC have been developed and assume that ABAC systems already exist in advance. However, in many cases, the systems are completely unknown and need to be constructed. Hence, in this work, we propose a novel policy engineering method (PEO_VR&SOD) with two main characteristics: (1) Visual representation technique with Hamming distance is used to reduce the policy-mining scale and enhance interpretability, and (2) the enforcement of SOD constraints is taken into consideration in the policy optimization. We also compare the performance of the PEO_VR&SOD with that of the existing methods through experiments.

3. Preliminaries

3.1. Basic Components of ABAC

According to the NIST standard for ABAC systems [33], we present the basic components of ABAC as follows:

(1)

U represents a finite set of requesting users. Each element of the set is denoted as u_i, where 1 ≤ i ≤ |U|.

(2)

O represents a finite set of requested objects. Each element of the set is denoted as o_i, where 1 ≤ i ≤ |O|.

(3)

OP represents a finite set of the operations allowed to be performed on the objects in an ABAC system. Each element of the set is denoted as op_i, where 1 ≤ i ≤ |OP|. For instance, if there are only two operations allowed in a system: read and write, then we represent OP = {read, write}.

(4)

E represents a finite set of environments in which authorizations are made, such as time and locations. These authorizations are independent of users and objects. Each element of the set is denoted as e_i, where 1 ≤ i ≤ |E|.

(5)

UA represents a finite set of attribute names of users. Each element of the set is denoted as ua_i, where 1 ≤ i ≤ |UA|. User attribute ua_i can associate several values. If we use $Va{l}_{u{a}_i}$ to represent the one-to-many mapping of ua_i onto a set of attribute values, it can be formalized as:

$$\forall u{a}_i\in UA:Va{l}_{u{a}_i}=\{val{}_{ij}{}^u|1\le j\le n_i^u,n_i^u\in Z^{+}\}\cup \left\{null\right\},$$

(1)

where null indicates that the corresponding attribute values of the user is unknown or uncertain. For instance, user attribute Role in a hospital can take values of Doctor, Nurse, and Patient, and then we represent Val_Role = {Doctor, Nurse, Patient}.

(6)

UAV represents a finite set of all the possible attribute name–value pairs of users. Each element of the set is denoted in the form of the equality ua_i = x_i, where ua_i ∊ UA, x_i ∊ $Va{l}_{u{a}_i}$. For instance, if there are two attributes of users: Role and Specialty, where Role can take values of Doctor, Nurse and Patient, and Specialty can take values of Cardiology, Medicine, and Pediatrics, then UAV is represented as: {Role = Doctor, Role = Nurse, Role = Patient, Specialty = Cardiology, Specialty = Medicine, Specialty = Pediatrics}.

(7)

UUAV ⊆ U × UAV represents a many-to-many assignment of users to their attribute name-value pairs. It can be formalized as:

$$UUAV=\{(u_k:u{a}_1=x_1,u{a}_2=x_2,\dots ,u{a}_i=x_i,\dots )|u_k\in U,(u{a}_i=x_i)\in UAV\}.$$

(2)

(8)

OA represents a finite set of attribute names of objects. Each element of the set is denoted as oa_i, where 1 ≤ i ≤ |OA|. The object attribute oa_i is also associated with several values. If we use $Va{l}_{o{a}_i}$ to represent the one-to-many mapping of oa_i onto a set of attribute values, it can be formalized as:

$$\forall o{a}_i\in OA:Va{l}_{o{a}_i}=\{val{}_{ij}{}^o|1\le j\le n_i^o,n_i^o\in Z^{+}\}\cup \left\{null\right\}$$

(3)

where null indicates that the corresponding attribute values of the object is unknown or uncertain. For instance, object attribute Department in a hospital can take values of Cardiology, Dermatology, and Gynecology, and then we represent Val_Department = {Cardiology, Dermatology, Gynecology}.

(9)

OAV represents a finite set of all the possible attribute name-value pairs of objects. Each element of the set is denoted in the form of the equality oa_i = y_i, where oa_i ∊ OA, y_i ∊ $Va{l}_{o{a}_i}$. For instance, if there are two attributes of objects: Department and RecordOf, where Department can take values of Cardiology, Dermatology, and Gynecology, and RecordOf can take values of Doctor, Nurse, Patient, and Staff, then OAV is represented as: {Department = Cardiology, Department = Dermatology, Department = Gynecology, RecordOf = Doctor, RecordOf = Nurse, RecordOf = Patient, RecordOf = Staff}.

(10)

OOAV ⊆ O × OAV represents a many-to-many assignment of objects to their attribute name–value pairs. It can be formalized as:

$$OOAV=\{(o_k:o{a}_1=y_1,o{a}_2=y_2,\dots ,o{a}_i=y_i,\dots )|o_k\in O,(o{a}_i=y_i)\in OAV\}.$$

(4)

For the sake of brevity, we assume that environments are irrelevant to policy engineering in an ABAC system and thus do not consider the environmental factors in this paper.

3.2. Basic Policy-Mining Problem in ABAC

Besides the basic components of ABAC, the other components involved in traditional ABAC policy mining [20] can be presented as follows:

(1)

A represents a set of all possible authorizations that occur in an ABAC system. Each element of the set is represented as a = <u,o,op>, which allows user u to perform operation op on object o, where u ∊ U, o ∊ O, op ∊ OP.

(2)

P represents an ABAC policy, which is also referred to as a set of authorization rules AR. Each element ar in AR is denoted in a 3-tuple form <UAV’,OAV’,OP’>, where UAV’ ⊆ UAV, OAV’ ⊆ OAV, OP’ ⊆ OP.

For the sake of simplicity, assume that any rule ar comprises only one operation, and ar is simply represented as <UAV’, OAV’, op>. Figure 1 presents the factors influencing the access decisions in ABAC, where single arrow heads represent which factors influence the access decisions and double arrow heads represent the one-to-many or many-to-many mappings between these influencing factors and other components of ABAC.

The basic ABAC policy-mining problem [21,22,23], in terms of the above elements, states that, given a set of authorizations A = {a₁,a₂,…}, a mapping list UUAV and a mapping list OOAV must find a set AR of authorization rules that can cover all the authorizations in A. Specifically, for any authorization a = <u,o,op>, user u can perform operation op on object o if and only if some combination of several attribute–value pairs of u in the UUAV, as well as those of o in the OOAV, can match a rule with op in AR. Furthermore, the number of mining rules is minimized.

3.3. Enforcement of SOD Constraints in ABAC

The SOD constraint includes static SOD and dynamic SOD. In this paper, we only consider the former, as we do not deal with environmental attributes, such as time and locations, and instead simply such attributes as SOD. The k-n SOD constraint [13] is expressed as sod < {t₁, t₂, …, t_i…, t_n}, k >, where n and k are integers, such that 2 ≤ k ≤ n. Each t_i is an access permission that is represented as a 2-tuple form (op, o), where op ∊ OP, o ∊ O. We represent the set of such sod constraints as ω = {sod₁, sod₂,…}.

To cover all the access tuples in a k-n SOD constraint, the authorization rules can be used as a substitute for the tuple. Similar to the k-n SOD constraint, the k-n SOAR constraint [13] is expressed as soar < {ar₁, ar₂, … ar_n}, k>, where each ar_i is an authorization rule, and n and k are integers, such that 2 ≤ k ≤ n. We represent the set of such soar constraints as ξ = {soar₁, soar₂, …}.

MEAR constraints can be used to enforce SOAR constraints. The t-m MEAR constraint mear < {ar₁, ar₂, … ar_m}, t > [13] conveys that, for the given m rules ar₁, ar₂, … ar_m in an ABAC system, no user is allowed to have t or more of these m rules, where each ar_i is an authorization rule, and m and t are integers, such that 2 ≤ t ≤ m. We represent the set of such mear constraints as ψ = {mear₁, mear₂, …}.

3.4. Hamming Distance

Since the authorization list for some operations is a Boolean matrix, each row (or each column) can be regarded as a binary vector of the same length. The well-known Hamming distance [34], which is widely used to measure the distance between two different equal-length vectors, can identify clusters of the same (or similar) use–object pairs. Hamming distance states that, given two equal-length Boolean vectors x and y, the Hamming distance between x and y, denoted as Dis(x, y), is the number of positions where the vectors take different values for the same column position.

For instance, given two row vectors, x = “100110” and y = “110011”, Dis(x, y) = 3. Clearly, the distance between any two rows in A_op increases with an increasing number of column positions that take different values.

3.5. SAT-Based Model Counting

The well-known SAT solver [35,36] is commonly used to solve the model counting problem. An instance of the SAT-based model counting problem is a Boolean formula made up of different clauses. Each clause is a disjunctive or conjunctive form of Boolean variables. A Boolean formula, which can be expressed using the conjunction or disjunction of different clauses, is categorized into the conjunctive normal form (CNF) and the disjunctive normal form (DNF). Clearly, there are different truth assignments for a Boolean formula. Essentially, the model counting problem is to find truth assignments for a specific Boolean formula.

4. Proposed Method

In this section, we propose a novel method called PEO_VR&SOD, which includes two aspects: (1) ABAC policy mining with visual representation and (2) policy optimization with separation-of-duty constraints. Its flow chart is presented in Figure 2.

As shown in the figure, to reduce the mining scale and enhance the interpretability of policy mining, we adopt the visual technique with Hamming distance to rearrange, portray and partition an original authorization matrix, and discover a minimal set of authorization rules from rearranged submatrices. Subsequently, we utilize the method of SAT-based model counting to verify whether the separation of duty constraints can be satisfied in the constructed ABAC system.

4.1. Policy Mining with Visual Representation

4.1.1. Preprocessing

First, we present the definitions of the matrix representations for UUAV and OOAV, respectively.

Definition 1.

(UUA) Represents the Boolean matrix form corresponding to a given UUAV. It can be represented as follows:

$$UUA[i][j]=\{\begin{array}{l}1,if\begin{array}{c}\end{array}user\begin{array}{c}\end{array}{u}_i\begin{array}{c}\end{array}has\begin{array}{c}\end{array}the\begin{array}{c}\end{array}attribute\begin{array}{c}\end{array}value\begin{array}{c}\end{array}in\begin{array}{c}\end{array}the\begin{array}{c}\end{array}{j}^{th}column\\ 0,otherwise\begin{array}{cccc}\begin{array}{cc}\begin{array}{cc}\begin{array}{cc}\begin{array}{cc}& \end{array}& \end{array}& \end{array}& \end{array}& & & \end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\begin{array}{c}\end{array}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\end{array}.$$

(5)

Definition 2.

(OOA) Represents the Boolean matrix form corresponding to a given OOAV. It can be represented as follows:

$$OOA[i][j]=\{\begin{array}{l}1,if\begin{array}{c}\end{array}object{\mathrm{o}}_i\begin{array}{c}\end{array}has\begin{array}{c}\end{array}the\begin{array}{c}\end{array}attribute\begin{array}{c}\end{array}value\begin{array}{c}\end{array}in\begin{array}{c}\end{array}the\begin{array}{c}\end{array}{j}^{th}column\\ 0,otherwise\begin{array}{cccc}\begin{array}{cc}\begin{array}{cc}\begin{array}{cc}\begin{array}{cc}& \end{array}& \end{array}& \end{array}& \end{array}& & & \end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\begin{array}{c}\end{array}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\end{array}.$$

(6)

To satisfy basic policy mining, we construct an extensive users-objects-operations relationship for a given set of authorizations A. This relationship can be equivalently denoted as a constructed matrix UOP^A, which is a generalized Cartesian product of the matrix UUA^A and the matrix OOA^A for the requesting users and requested objects, respectively. The rows of UOP^A correspond to all the possible user–object pairs, and the columns correspond to the attribute-value pairs of the users and objects, as well as the operations in A.

Example 1.

Given an authorization list A, a matrix UUA^A of the attribute value assignments for users, and a matrix OOA^A of the attribute value assignments for objects in

Table 1. Authorization list A.

User	Object	Operation
u1	o1	op1
u2	o1	op1
u2	o1	op2
u3	o2	op1
u3	o2	op2
u4	o2	op1

,

Table 2. Matrix UUA^A.

User	uav1	uav2	uav3	uav4
u1	0	1	1	0
u2	1	0	1	0
u3	1	0	0	1
u4	0	1	0	1

and

Table 3. Matrix OOA^A.

Object	oav1	oav2	oav3
o1	1	0	1
o2	0	1	1

, respectively, then, the matrix UOP^A can be constructed as in

Table 4. Matrix UOP^A.

User-Object	uav1	uav2	uav3	uav4	oav1	oav2	oav3	op1	op2
u1-o1	0	1	1	0	1	0	1	1	0
u2-o1	1	0	1	0	1	0	1	1	1
u3-o1	1	0	0	1	1	0	1	0	0
u4-o1	0	1	0	1	1	0	1	0	0
u1-o2	0	1	1	0	0	1	1	0	0
u2-o2	1	0	1	0	0	1	1	0	0
u3-o2	1	0	0	1	0	1	1	1	1
u4-o2	0	1	0	1	0	1	1	1	0

, where the notations uav and oav represent the attribute values of users and objects, respectively.

To mine suitable authorization rules from the constructed matrix UOP, we need to find the attribute–value pairs for users and objects, such that the values of their corresponding cells in one row are 1, as is the value of the operation cell. Meanwhile, there is not any row where the value of the operation cell is 0 while retaining the values of the cells as 1 for the same attribute-value pairs. The various combinations of different attribute-value pairs that meet the requirements are referred to as the ABAC authorization rules, the number of which needs to be minimum.

In other words, our method involves finding the minimal set of rules from the UOP that can cover all the rows with the operation columns having values of 1. Meanwhile, the different attribute-value pairs in the set do not present in any row with the operation column containing a value of 0.

To find a suitable and minimal set of rules, we present two guiding principles as follows:

(1)

Principle 1: Assume that k₁ and k₂ are two different combinations of attribute-value pairs included in rules ar₁ and ar₂, respectively. If k₁ ⊆ k₂ (that is, the number of attribute-value pairs in k₂ is greater than that in k₁), then the authorizations covered by k₂ can also be covered by k₁; moreover, k₂ is more restricted than k₁. The authorizations covered by rule ar increase in number as the number of attribute-value pairs in ar decreases. Thus, we should choose short-length rules for the number of attribute-value pairs in any rule.

(2)

Principle 2: To discover a minimal set of rules while ensuring a short length in any rule, we decompose the UOP into two submatrices that consist of operation columns with values of 1 and 0. We denote these columns as UOP_op=1 and UOP_op=0 and sort UOP_op=1 in ascending order according to the number of values of 1 in any row. We attempt to mine rules to cover all the authorizations corresponding to UOP_op=1.

However, the constructed UOP becomes much more confusing and complex as the number of user–object pairs increases. In other words, it is difficult to analyze and identify the authorization rules from such a representation. Therefore, we need to find an alternative for the list of authorizations to further facilitate policy mining while making the authorization representation more visually appealing and understandable.

4.1.2. Visual Representation for Authorizations

Definition 3.

(A_op) Represents the Boolean matrix form for a list of authorizations A with operation op, where the rows correspond to users, and the columns correspond to objects. This can be represented as follows:

$$A_{op}[i][j]=\{\begin{array}{l}1,if\begin{array}{c}\end{array}{u}_i\begin{array}{c}\end{array}is\begin{array}{c}\end{array}allowed\begin{array}{c}\end{array}to\begin{array}{c}\end{array}perform\begin{array}{c}\end{array}op\begin{array}{c}\end{array}on\begin{array}{c}\end{array}{o}_j\\ 0,otherwise\begin{array}{cccc}\begin{array}{cc}\begin{array}{cc}\begin{array}{cc}\begin{array}{cc}& \end{array}& \end{array}& \end{array}& \end{array}& & & \end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\begin{array}{c}\end{array}\end{array}.$$

(7)

Example 2.

An illustrative ABAC authorization matrix A_op is shown in

Table 5. Original matrix A_op.

	o1	o2	o3	o4	o5	o6	o7	o8	o9	o10
u1	1	1								1
u2	1	1								1
u3			1	1			1	1
u4			1	1			1	1
u5	1					1
u6	1	1								1
u7	1					1
u8			1	1			1	1
u9			1	1			1	1
u10	1	1								1

, which includes 10 users and 10 objects. An equivalently rearranged matrix A_op’ is presented in

Table 6. Rearranged matrix A_op’.

	o5	o9	o3	o4	o7	o8	o6	o1	o2	o10
u8			1	1	1	1
u9			1	1	1	1
u3			1	1	1	1
u4			1	1	1	1
u5							1	1
u7							1	1
u1								1	1	1
u2								1	1	1
u6								1	1	1
u10								1	1	1

. We only mark the cells whose values are 1 for an intuitive representation. Obviously, it is more convenient to analyze and handle A_op’, which provides a motivation for functionally representing A_op.

To visually represent the authorization matrix, we use the Hamming distance to rearrange it as defined below.

Definition 4.

(Visual representation problem for authorizations) Given an authorization matrix A_op, and a Hamming distance list D between any two rows of A_op, find a rearranged matrix A_op’ such that: (1) The sum of distances between the adjacent rows of A_op’ is minimum, and (2) the submatrices {s₁, s₂, …} are intuitively included in A_op’ while covering all the cells with values of 1, which can be formalized as follows:

$$\{\begin{array}{c}\min ({\displaystyle \sum _{i}Dis({A_{op}}^{\prime }[i],{A_{op}}^{\prime }[i+1])}),\forall Dis({A_{op}}^{\prime }[i],{A_{op}}^{\prime }[i+1])\in D\\ {A_{op}}^{\prime }[i^{\prime }][j^{\prime }]=1,\forall s_k\in \{s_1,s_2,\dots \}\begin{array}{c}\end{array}included\begin{array}{c}\end{array}in\begin{array}{c}\end{array}{A_{op}}^{\prime },\forall {A_{op}}^{\prime }[i^{\prime }][j^{\prime }]\begin{array}{c}\end{array}in\begin{array}{c}\end{array}{s}_k\end{array}.$$

(8)

According to Definition 5, we present the process of matrix rearrangement in Algorithm 1.

Algorithm 1 Matrix rearrangement

Input: original matrix Aop Output: rearranged matrix Aop’ 1. Initialize Aop’ = Aop; 2. Represent Aop’ as a list of row vectors: Aop’[1], Aop’[2], …; 3. Identify matrix Dr of the Hamming distances between any two row vectors such that ∀i,j: Dr[i][j] = Dis(Aop’[i], Aop’[j]); 4. for each Aop’[i] in Aop’ do 5. if (∃Aop’[j]: Dr[i][j] < Dr[i][i + 1]) then 6.  swap(Aop’[i + 1], Aop’[j]); 7. end if 8. end for

The distance matrix D_r for the original matrix in Table 5 is shown in

Table 7. Distance matrix D_r.

	Aop’[1]	Aop’[2]	Aop’[3]	Aop’[4]	Aop’[5]	Aop’[6]	Aop’[7]	Aop’[8]	Aop’[9]	Aop’[10]
Aop’[1]	0	0	7	7	3	0	3	7	7	0
Aop’[2]	0	0	7	7	3	0	3	7	7	0
Aop’[3]	7	7	0	0	6	7	6	0	0	7
Aop’[4]	7	7	0	0	6	7	6	0	0	7
Aop’[5]	3	3	6	6	0	3	0	6	6	3
Aop’[6]	0	0	7	7	3	0	3	7	7	0
Aop’[7]	3	3	6	6	0	3	0	6	6	3
Aop’[8]	7	7	0	0	6	7	6	0	0	7
Aop’[9]	7	7	0	0	6	7	6	0	0	7
Aop’[10]	0	0	7	7	3	0	3	7	7	0

, where both the rows and columns correspond to the row vectors, and the values of cells are the Hamming distances between any two rows. According to Algorithm 1, the same (or similar) row vectors are clustered by choosing the minimal distances. Similarly, we can also rearrange A_op’ to cluster the same (or similar) column vectors. These clusters of rows and columns then form a submatrix, and several such submatrices together cover all the cells of A_op where A_op[i][j] = 1. Specifically, since D_r [10][1] = D_r[10][2] = D_r[10][6] = 0, we can swap row vector A_op’[1] with A_op’[8], A_op’[2] with A_op’[9], and A_op’[6] with A_op’[7], respectively, and the result in step 1 is shown in

Table 8. Step 1 for rearrangement.

	o1	o2	o3	o4	o5	o6	o7	o8	o9	o10
u8			1	1			1	1
u9			1	1			1	1
u3			1	1			1	1
u4			1	1			1	1
u5	1					1
u7	1					1
u6	1	1								1
u1	1	1								1
u2	1	1								1
u10	1	1								1

, which clusters the same row vectors together, such as {A_op’[6], A_op’[1], A_op’[2], A_op’[10]}, {A_op’[5], A_op’[7]}, and {A_op’[8], A_op’[9], A_op’[3], A_op’[4]}. Subsequently, we implement the rearrangement towards the column vectors. Since D_c[4][7] = D_c[4][8] = 0, we swap the corresponding columns in step 2, and the result is shown in

Table 9. Step 2 for rearrangement.

	o1	o2	o3	o4	o8	o7	o6	o5	o9	o10
u8			1	1	1	1
u9			1	1	1	1
u3			1	1	1	1
u4			1	1	1	1
u5	1						1
u7	1						1
u6	1	1								1
u1	1	1								1
u2	1	1								1
u10	1	1								1

. Similarly, we swap the second column with the ninth column in step 3, and the result is shown in

Table 10. Step 3 for rearrangement.

	o1	o9	o3	o4	o7	o8	o6	o5	o2	o10
u8			1	1	1	1
u9			1	1	1	1
u3			1	1	1	1
u4			1	1	1	1
u5	1						1
u7	1						1
u6	1								1	1
u1	1								1	1
u2	1								1	1
u10	1								1	1

. According to the minimal distances between the adjacent columns, we swap the first column with the eighth column in step 4, and the result is shown in

Table 11. Step 4 for rearrangement.

	o5	o9	o3	o4	o8	o7	o6	o1	o2	o10
u8			1	1	1	1
u9			1	1	1	1
u3			1	1	1	1
u4			1	1	1	1
u5							1	1
u7							1	1
u6								1	1	1
u1								1	1	1
u2								1	1	1
u10								1	1	1

, which is consistent with the visual representation in Table 6.

4.1.3. Policy Mining

In this subsection, we take the rearranged authorization matrix A_op’ and the matrices UUA and OOA as inputs and present the process of policy mining in Algorithm 2.

Algorithm 2 Policy mining

Input: rearranged matrix Aop’, matrices UUA and OOA Output: set AR of authorization rules 1. Identify the number of visual submatrices in Aop’ as k; 2. Based on the visual submatrices, separate Aop’ into n partitions: Aop’1, Aop’2, …, and Aop’k. In each partition, the columns correspond to the same set of objects, and the rows correspond to different sets of users; 3. According to k sets of users in different partitions, separate UUA into k partitions: UUA1, UUA2, …, and UUAn; 4. Define and initialize the sets of rules: Initial_rules = ø, Uninitial_rules = ø, Candidate_rules = ø; 5.for each Aop’i in {Aop’1,Aop’2,…,Aop’k} do 6. Construct matrix $UO{P}_{}^{{{A_{op}}^{\prime }}_i}$ using the Cartesian product of the UUAi and OOA, and decompose it into $UO{P}_{op=1}^{{{A_{op}}^{\prime }}_i}$ and $UO{P}_{op=0}^{{{A_{op}}^{\prime }}_i}$; 7. Identify combinations of the different attribute-value pairs present in all rows of $UO{P}_{op=1}^{{{A_{op}}^{\prime }}_i}$ and sort them in ascending order according to the number of attribute-value pairs. Consider them as initial rules and insert them into Initial_rules; 8. Identify the combinations of different attribute-value pairs present in all rows of $UO{P}_{op=0}^{{{A_{op}}^{\prime }}_i}$. Do not consider them as rules and insert them into Uninitial_rules; 9. for each combination of attribute-value pairs ar in Candidate_rules do 10. for each combination of attribute-value pairs ar’ in Initial_rules do 11.   if (ar is not null)∧(ar ⊆ ar’) then 12.    continue;/*authorizations covered by ar’ has been covered by ar*/ 13.   else 14.    if (ar∩ar’) ∉ Uninitial_rules then/*authorizations covered by both ar and ar’ are allowed*/ 15.    Candidate_rules = (Candidate_rules\{ar})∩{ar∩ar’}; 16.    else /*authorizations covered by ar’ are only allowed*/ 17.    Candidate_rules = Candidate_rules∩{ar’}; 18.    end if 19.   end if 20.  end for 21. end for 22. for each rule car in Candidate_rules do 23. for each attribute-value pair a in car do 24.  if (car\{a}) ∉ Uninitial_rules then 25.   car = car\{a}; 26.   end if 27. end for 28. AR = AR∪{car}; 29. end for 30.end for

In Algorithm 2, we first partition the rearranged matrix into k small matrices according to the number of submatrices in Lines 1–3, Line 4 defines three sets of rules, Initial_rules, Uninitial_rules, and Candidate_rules, and initializes them. From Line 5, we start to mine the rules in each submatrix. For each submatrix A_op’_i, we construct $UO{P}_{}^{{{A_{op}}^{\prime }}_i}$ and decompose it into $UO{P}_{op=1}^{{{A_{op}}^{\prime }}_i}$ and $UO{P}_{op=0}^{{{A_{op}}^{\prime }}_i}$ according to Principle 2 in Line 6. We insert all the attribute-value pairs present in $UO{P}_{op=1}^{{{A_{op}}^{\prime }}_i}$ into the set Initial_rules and insert all the attribute-value pairs present in $UO{P}_{op=0}^{{{A_{op}}^{\prime }}_i}$ into the set Uninitial_rules in Lines 7–8. Next, in Lines 9–21, we use double loops for the sets Candidate_rules and Initial_rules to choose the short-length rules that are not present in Uninitial_rules and consider them as candidate rules. To further simplify the rules in set Candidate_rules, we estimate whether the length of any rule (that is, the number of attribute-value pairs) can be reduced in the last few lines. As shown in Table 11, three submatrices (<{u₈,u₉,u₃,u₄}, {o₃,o₄,o₇,o₈}>, <{u₅,u₇}, {o₆,o₁}>, and <{u₁,u₂,u₆,u₁₀}, {o₁,o₂,o₁₀}>), which separate the rearranged matrix into three partitions, are visually appealing. It is more convenient and feasible to derive rules from each small partition, and the detailed mining processes are omitted owing to the limited space.

Computational complexity: Choosing suitable rules mainly depends on the double loops in Lines 9–21 and the estimation operations in Lines 22–29. Assume that the number of submatrices is k and that the number of rows with operation columns containing values of 1 in each submatrix A_op’_i is x; then, the total execution time of the algorithm is O(k × (x² × (|A_op’_I − x|) + x²)), which is influenced by the number of partitions and the size of each submatrix.

4.2. Policy Optimization with Separation-of-Duty Constraints

First, we present three status functions among users, authorization rules, and access tuples of the SOD constraint, defined as follows.

Definition 5.

(Status functions)

(1) 

user_rules_γ(u) represents a set of authorization rules that allows user u to perform operations on objects under the system status γ;

(2) 

tuple_rules_γ(t) represents a set of authorization rules that allows access to tuple t for a given SOD constraint under the system status γ;

(3) 

user_tuples_γ(u) represents a set of tuples of a given SOD constraint that is authorized to user u under the system status γ. It can be formalized as

$$user\_tuple{s}_{\gamma }(u)=\left\{t\right|\exists ar\in user\_rule{s}_{\gamma }(u):ar\in tuple\_rule{s}_{\gamma }(t)\}.$$

(9)

To demonstrate whether the SOD constraints can be satisfied, the different status functions in Definition 6 are used in the following example.

Example 3.

Given a constructed ABAC system status γ, where the rules associated with each user are shown in

Table 12. Sets of different user_rules_γ(u).

User	Rules
u1	{ar1, ar2, ar4, ar5}
u2	{ar3, ar7}
u3	{ar1, ar2, ar4, ar5}
u4	{ar6}

. Consider a set of SOD constraints ω = {sod₁, sod₂}, where sod₁ = <{t₁, t₂, t₃}, 2> and sod₂ = <{t₄, t₅, t₆}, 3>. The rules that are allowed to access any tuple with respect to sod₁ and sod₂ are presented in

Table 13. Sets of different tuple_rules_γ(t) with respect to sod₁.

Tuple	Rules
t1	{ar7}
t2	{ar3}
t3	{ar1,ar2}

and

Table 14. Sets of different tuple_rules_γ(t) with respect to sod₂.

Tuple	Rules
t4	{ar4, ar5, ar6}
t5	{ar3}
t6	{ar1, ar2}

, respectively.

According to sod₁ and Table 13, at least two users are required to collaborate and together have t₁, t₂, and t₃, and all these access tuples can be done using either the rules ar₁, ar_3, and ar₇ or the rules ar₂, ar_3, and ar₇. In other words, no user can own these three rules at the same time. Table 8 shows that sod₁ can be satisfied under γ. Similarly, according to sod₂ and Table 14, any two users cannot own rules ar₁, ar₃, and ar₅ at the same time. Table 12 demonstrates, however, that users u₁ and u₂ can access all the tuples of sod₂ through these three rules. Hence, sod₂ cannot be satisfied under γ. Therefore, immediately enforcing SOD constraints in ABAC systems appears to be intractable.

Reducing the problem of verifying SOD constraints in an ABAC system into the construction of MEAR constraints includes two phases: (1) Converting k-n SOD constraints into k-n SOAR constraints and (2) constructing t-m MEAR constraints from k-n SOAR constraints.

4.2.1. Construction of k-n SOAR Constraints from k-n SOD Constraints

Given a constructed rule set AR and a specific SOD constraint <{t₁, t₂, …, t_n}, k> under system status γ, we convert the input instance (<{t₁, t₂, …, t_n}, k>, AR) into an intermediate form according to the following steps:

Step 1. For each access tuple t_i in the constraint, we identify set tuple_rules_γ(t_i) as a substitute for t_i;

Step 2. Replace rule set AR with a union of different set of rules associated with each tuple in the constraint.

Then, the corresponding intermediate form, which is denoted as CIF, can be represented as CI F =<{S₁, S₂, …S_n}, AR’>, where S_i = tuple_rules_γ(t_i), and $A{R}^{\prime }={\displaystyle \underset{i=1}{\overset{n}{\cup }}{S}_i}\subseteq AR$.

According to the conversion, two conclusions can be made:

(1)

The process of the conversion does not take value k of the constraint into consideration because, for each k’-n SOAR constraint constructed, k’ takes the value of k in the following process of constructions.

(2)

AR’ in CIF does not contain the rules in (AR\AR’) because the rules not in AR’ are not relevant to the construction of the SOAR constraints.

A SAT solver takes the formula in CNF as the input parameter for solving the problem, which can identify the total number of different types of such assignments. For the given intermediate form CIF = <{S₁,S₂,…S_n},AR’>, we next construct a CNF formula F corresponding to CIF through the following steps:

Step 1. For each rule ar_i in AR’, create the corresponding literal variable $\overline{a{r}_i}$;

Step 2. For each S_i and AR’, create the corresponding clause using the disjunction of different literals, which is formalized as $\overline{a{r}_1}\vee \overline{a{r}_2}\vee \dots$;

Step 3. Construct a CNF formula using the conjunction of different clauses, which is represented as $F=(\underset{i=1}{\overset{n}{\wedge }}{S}_{i}clause)\wedge A{R}^{\prime }clause$.

Thus, a set of several different literals that can satisfy a truth assignment for F forms the SOAR constraint, and all sets of such literals form different types of SOAR constraints, where the value of k remains constant.

Example 4.

Consider a SOD constraint sod = <{t₁, t₂, t₃, t₄}, 2> in the ABAC system status γ. The corresponding rules associated with each tuple are given in

Table 15. Sets of different tuple_rules(t) for sod.

Tuple	Rules
t1	{ar4}
t2	{ar2}
t3	{ar1, ar3}
t4	{ar2, ar3, ar4}

.

First, we convert sod into the intermediate form CIF = <{{ar₄}, {ar₂}, {ar₁, ar₃}, {ar₂, ar₃, ar₄}}, {ar₁, ar₂, ar₃, ar₄}>. Next, we construct the Boolean formula F for CIF as $F=\overline{a{r}_4}\wedge \overline{a{r}_2}\wedge (\overline{a{r}_1}\vee \overline{a{r}_3})\wedge (\overline{a{r}_2}\vee \overline{a{r}_3}\vee \overline{a{r}_4})\wedge (\overline{a{r}_1}\vee \overline{a{r}_2}\vee \overline{a{r}_3}\vee \overline{a{r}_4})$. It is readily verified that {$\overline{a{r}_1}$, $\overline{a{r}_2}$, $\overline{a{r}_4}$} can satisfy a truth assignment for F, and <{ar₁, ar₂, ar₄}, 2> is regarded as a SOAR constraint. Moreover, {$\overline{a{r}_2}$, $\overline{a{r}_3}$, $\overline{a{r}_4}$}, $\overline{a{r}_2}$, , $\overline{a{r}_3}$, $\overline{a{r}_4}$} can also satisfy such assignments, and <{ar₂, ar₃, ar₄}, 2>, <{ar₁, ar₂, ar₃, ar₄}, 2> are the other two SOAR constraints corresponding to sod.

4.2.2. Construction of t-m MEAR Constraints from k-n SOAR Constraints

In this subsection, we determine how to construct MEAR constraints for the given SOAR constraints. Using the notions of the k-n SOAR constraint and the t-m MEAR constraint, as well as the status function user_rules_γ(u) in Definition 6, we can define the safety and satisfiability of the system status as the following.

Definition 6.

(Safety of the system status, safe_soar(γ)) Given an ABAC system status γ and a k-n SOAR constraint soar = <{ar₁, ar₂, …ar_n}, k>, if any set of (k − −1) users cannot have all the n rules under γ, then γ is safe with respect to soar, which is denoted as safe_soar(γ) = 1. Otherwise, γ is unsafe with respect to soar, which is denoted as safe_soar(γ) = 0. Let the set of different k-n SOAR constraints be ξ = {soar₁, soar₂, …}; if γ is safe with respect to each soar_i, then γ is safe with respect to ξ, which is denoted as safe_ξ(γ) = 1. Otherwise, γ is unsafe with respect to ξ, which is denoted as safe_ξ(γ) = 0.

The safety of the system status is formally expressed as:

$$\forall \{u_1,u_2,\dots ,u_{k-1}\}\subset U:\{a{r}_1,a{r}_2,\dots ,a{r}_n\}\not\subset {\displaystyle \underset{i=1}{\overset{k-1}{\cup }}user\_rule{s}_{\gamma }(u_i)\Rightarrow saf{e}_{soar}(\gamma )}=1.$$

(10)

The unsafety of the system status is formally expressed as:

$$\exists \{u_1,u_2,\dots ,u_{k-1}\}\subset U:{\displaystyle \underset{i=1}{\overset{k-1}{\cup }}user\_rule{s}_{\gamma }(u_i)\supseteq \{a{r}_1,a{r}_2,\dots ,a{r}_n\}\Rightarrow saf{e}_{soar}(\gamma )}=0.$$

(11)

Definition 7.

(Satisfiability of the system status, satisfied_mear(γ)) Given an ABAC system status γ and a t-m MEAR constraint mear = <{ar₁, ar₂, … ar_m}, t>, if no user is allowed to have t or more of these m rules under γ, then γ is satisfied with respect to mear, which is denoted as satisfied_mear(γ) = 1. Otherwise, γ is unsatisfied with respect to mear, which is denoted as satisfied_mear(γ) = 0. Let the set of different t-m MEAR constraints be ψ = {mear₁, mear₂, …}; if γ is satisfied with respect to each mear_i, then γ is satisfied with respect to ψ, which is denoted as satisfied_ψ(γ) = 1. Otherwise, γ is unsatisfied with respect to ψ, which is denoted as satisfied_ψ(γ) = 0.

The satisfiability of the system status is formally expressed as:

$$\forall u\in U:|user\_rule{s}_{\gamma }(u)\cap \text{{}a{r}_1,a{r}_2,\dots a{r}_m\text{}}|\text{<}t\Rightarrow satisfie{d}_{mear}(\gamma )=1.$$

(12)

The unsatisfiability of the system status is formally expressed as:

$$\exists u\in U:|user\_rule{s}_{\gamma }(u)\cap \text{{}a{r}_1,a{r}_2,\dots a{r}_m\text{}}|\ge t\Rightarrow satisfie{d}_{mear}(\gamma )=0.$$

(13)

Statement 1.

Given an ABAC system status γ and a set of SOAR constraints ξ = {soar₁, soar₂, …}, the process for verifying whether γ is safe with respect to ξ is in P.

Proof. 

We prove this statement through the following three steps: (1) Use status function user_rules_γ() and identify user_rules_γ(u) for some user u under γ (2). Based on the formal expression in Definition 7, identify the number of the rules in user_rules_γ(u) present in any sod, which is represented as s, and (3) compare s with k included in sod. These steps can be readily computed. If |U|,|AR|, and |ξ| are used to represent the total number of users, the number of authorization rules and the number of SOAR constraints under γ, respectively, then the computational complexity for verifying whether safe_ξ(γ) is true is O(|U|×|AR|×|ξ|), which is polynomial time. Thus, the verification process for enforcing the SOAR constraints is in P. □

Statement 2.

Given an ABAC system status γ and a set ψ of MEAR constraints, the process of verifying whether γ is satisfied with respect to ψ is also in P.

Proof .

This verification is similar to that of Theorem 1, so the detailed process is omitted due to limited space. Here, the enforcement of MEAR constraints under γ is also available in polynomial time. □

Definition 8.

(Implicit enforcement of SOAR constraints) Given a k-n SOAR constraint soar and a t-m MEAR constraint set ψ = {mear₁, mear₂, …} in the system status γ, soar can be implicitly enforced by ψ if and only if ∀mear ∊ ψ :satisfied_mear(γ) ⇒safe_soar(γ).

Then, we present an approach for constructing t-m MEAR constraints in Algorithm 3, which takes a k-n SOAR constraint constructed from a k-n SOD constraint as input and outputs a set of MEAR constraints that can implicitly enforce SOAR.

Algorithm3 Construction of t-m MEAR constraints

Input:k-n SOAR constraint soar = <{ar1,ar2,…arn},k>, where 2 ≤ k ≤ n Output: set ψ of t-m MEAR constraints 1. Initialize ψ = ø; 2. if k == 2 then 3. ψ = {<{ar1,ar2,…arn},n>}; 4. else if k == n then 5. ψ = {<{ar1,ar2,…arn},2>}; 6. else 7.  for t = 2 to $\lfloor \frac{n-1}{k-1}\rfloor +1$ do 8.   m = (k-1) × (t-1)+1; 9.   for any subset {ar1,ar2,…arm’} in {ar1,ar2,…arn} do 10.    ψ = ψ∪{<{ar1,ar2,…arm’},t>}; 11.   end for 12. end for 13.end if

As observed from Lines 2–5 in Algorithm 3, two lemmas can be determined with the following:

Lemma 1.

Given a 2-n SOAR constraint, it can be efficiently enforced by the t-m MEAR constraint if and only if m = n, and t = n.

Lemma 2.

Given a n-n SOAR constraint, it can be efficiently enforced by the t-m MEAR constraint if and only if m = n, and t = 2.

Theorem 1.

Given a k-n SOAR constraint (k > 2), it can be efficiently enforced by the constructed t-m MEAR constraints through Algorithm 3 if $t\le (\lfloor \frac{n-1}{k-1}\rfloor +1)$

Proof .

According to Definitions 7 and 8, any user is allowed to have (t − 1) rules at most, and any (k − 1) users are allowed to have (k − 1) × (t − 1) rules at most. We use the method of contradiction to prove this theorem. Without a loss of generality, assume that $t=\lfloor \frac{n-1}{k-1}\rfloor +1+1$; the k-n SOAR constraint is still satisfied, i.e., the number of rules associated with (k − 1) users is $(k-1)\times (\lfloor \frac{n-1}{k-1}\rfloor +2-1)\approx n-1+k-1>n$, which breaches the k-n SOAR constraint. Thus, the assumption is false. □

To further demonstrate the effectiveness of Algorithm 3, we next provide an example to show the construction of MEAR constraints from a given SOD constraint.

Example 5.

Given a set of authorization rulesAR = {ar₁, ar₂, ar₃, ar₄, ar₅} and a SOD constraint sod = <{t₁, t₂, t₃, t₄, t₅}, 3> in the ABAC system status γ, let the sets of tuple_rules_γ(t) with respect to sod be {ar₁, ar₂}, {ar₃}, {ar₂, ar₃}, {ar₄}, and {ar₄, ar₅}, respectively.

Then, for sod, the corresponding soars that can be constructed using the method of SAT-based model counting are as follows:

{<{ar₂, ar₃, ar₄}, 3>, <{ar₁, ar₃, ar₄}, 3>, <{ar₁, ar₂, ar₃, ar₄}, 3>, <{ar₁, ar₃, ar₄, ar₅}, 3>, <{ar₂, ar₃, ar₄, ar₅}, 3>, <{ar₁, ar₂, ar₃, ar₄, ar₅}, 3>}.

The different sets of mears constraints corresponding to each soar according to Algorithm 3 are given in

Table 16. Different sets of mears with respect to soars.

Soar	Mears
<{ar2, ar3, ar4}, 3>	{<{ar1, ar2, ar4}, 2>}
<{ar1, ar3, ar4}, 3>	{<{ar2, ar3, ar4}, 2>}
<{ar1, ar2, ar3, ar4}, 3>	{<{ar1, ar2, ar3}, 2>, <{ar2, ar3, ar4}, 2>, <{ar1, ar2, ar4}, 2>, <{ar1, ar3, ar4}, 2>}
<{ar1, ar3, ar4, ar5}, 3>	{<{ar1, ar3, ar4}, 2>, <{ar3, ar4, ar5}, 2>, <{ar1, ar3, ar5}, 2>, <{ar1, ar4, ar5}, 2>}
<{ar2, ar3, ar4, ar5}, 3>	{<{ar2, ar3, ar4}, 2>, <{ar3, ar4, ar5}, 2>, <{ar2, ar3, ar5}, 2>, <{ar2, ar4, ar5}, 2>}
<{ar1, ar2, ar3, ar4, ar5}, 3>	{<{ar1, ar2, ar3}, 2>, <{ar1, ar2, ar4}, 2>, <{ar1, ar2, ar5}, 2>, <{ar1, ar3, ar4}, 2>, <{ar1, ar3, ar5}, 2>, <{ar1, ar4, ar5}, 2>, <{ar2, ar3, ar4}, 2>, <{ar2, ar3, ar5}, 2>, <{ar2, ar4, ar5}, 2>, <{ar3, ar4, ar5}, 2>, <{ar1, ar2, ar3, ar4, ar5}, 3>}

.

5. Experimental Evaluations

To evaluate the efficiency and effectiveness of the PEO_VR&SOD, we next implemented experiments using both real and synthetic datasets and compare the performance of PEO_VR&SOD with that of existing methods. All the experiments were carried out on a standard desktop PC with an Intel i5–7400 CPU, 4 GB RAM, and a 160 GB hard disk running a 64-bit Windows 7 operating system. All simulations were compiled and run in Eclipse IDE under the Java Developer environment.

5.1. Performance Comparison with the Xu-Stoller and VisMAP in Real Datasets

First, we consider the following real datasets from [10], as shown in

Table 17. Descriptions of real datasets.

Dataset	|U|	|UA|	|O|	|OA|	|Val|	|A|	Xu-Stoller		VisMAP		Our Method
							|P|	T(s)	|P|	T(s)	|P|	T(s)
University	20	6	34	5	76	168	10	0.02	10	0.02	10	0.02
Healthcare	21	6	16	7	55	51	11	0.02	7	0.02	7	0.02
Project Management	16	7	40	6	77	189	19	0.03	12	0.03	12	0.03

. These datasets have been widely used for research on different methods of ABAC policy mining, such as Xu-Stoller and VisMAP. The first seven columns in the table represent the corresponding dataset name, numbers of users, user attributes, objects, object attributes, number of all possible attribute values for users and objects, and number of authorizations. To evaluate the efficiency of our method in the policy mining stage, we consider the number of authorization rules in the policy and the execution time as evaluation measures.

We repeatedly implement the experiments 5 times in the above three datasets, take an average of overall values, and compare the results including |P| and T with the performance of Xu-Stoller and VisMAP in the last columns of Table 17. The number of authorization rules mined using our method is less than that using Xu-Stoller and is equal to that of VisMAP. Meanwhile, in the table, there is almost no difference in execution time for all three methods. This is because there is a small number of users, objects, and authorizations in any real dataset; thus, it is feasible to find suitable rules using Xu-Stoller, though both our method (PEO_VR&SOD) and VisMAP adopt visual representation technology for a given authorization relationship before policy mining. Thus, PEO_VR&SOD performs as well as Xu-Stoller and VisMAP on the small University, Healthcare, and Project Management datasets.

5.2. Performance Comparison with VisMAP in Synthetic Datasets

Since it is very difficult to find suitable real datasets, we next construct synthetic datasets with specific parameters, where the number of users varies from 100 to 1000 with a step of 100; the number of objects are 100, 200, 500, and 1000; and the attributes for users and objects randomly take values from the above real datasets. To evaluate the efficiency of PEO_VR&SOD, we take into consideration the number of mining rules and execution time as measures and compare the results with the performance of VisMAP. Additionally, as indicated in Algorithms 1 and 2, we partition the rearranged matrix by visual representations for the original matrix, while VisMAP directly separates an original matrix before rearrangement. If the synthetic datasets constructed are already sufficiently visual, then the authorization matrices need to be neither rearranged nor partitioned. Therefore, we first consider the following cases with no partition.

We repeatedly implement the experiments 10 times in different synthetic datasets and take the average value. The results are shown in Figure 3 and Figure 4. For Figure 3, the lateral axis represents the number of users, and the vertical axis represents the number of rules in the policy. For Figure 4, the lateral axis represents the number of users, and the vertical axis represents the comparison of execution time.

Figure 3 shows that the number of rules varies with a varying number of users for different numbers of objects. If the number of objects is fixed at 100, and the number of users varies from 100 to 1000, then the number of rules varies from 19 to 47, which increases slightly with an increase in the number of users; however, if the number of objects is fixed at 1000, the number of rules varies from 31 to 113, showing a clear increase. Conversely, if we fix the number of users at 100 and 1000, then the number of rules also increases with an increasing number of both objects and users. Obviously, the varying number of mining rules tends to grow linearly, particularly when the number of objects is small. This is because, the greater the number of users is, the more rules that can be constructed from the mining process.

Figure 4 shows that the execution time varies with a varying number of users for different numbers of objects. If the number of objects is less than 500, then the execution time is always below 335 s and tends to grow linearly. However, if the number is greater than 500, then the execution time increases exponentially to around 1100 s with 1000 users and 1000 objects, which is unacceptable. That is attributed to the fact that the dimension of an authorization matrix becomes larger and larger with an increasing number of users and objects, and a large-size matrix requires more time to be rearranged using Algorithm 1.

To demonstrate the interpretability of the mining process, we employ synthetic datasets on which VisMAP has been executed, where the numbers of users and objects are 100, 200, 500, and 1000. In addition, the number of partitions for each rearranged matrix is 1, 2, and 4. We repeatedly implement the experiments 10 times on these synthetic datasets, output the number of rules and the execution time, and take their average values. Comparisons of the results for PEO_VR&SOD and VisMAP are shown in

Table 18. Performance comparison with VisMAP.

|U|	|O|	|Partitions|
		1		2		4		1		2		4
		VisMAP						PEO_VR&SOD
		|P|	T(s)	|P|	T(s)	|P|	T(s)	|P|	T(s)	|P|	T(s)	|P|	T(s)
100	100	19	0.59	38	0.72	62	0.35	19	0.59	22	0.84	30	0.93
200	100	26	1.77	55	1.11	84	1.03	26	1.77	31	1.98	42	2.14
500	100	34	10.18	76	5.38	108	5.9	34	10.18	42	10.73	53	11.95
1000	100	47	43.28	96	20.46	197	10.92	47	43.28	56	43.61	74	44.17
100	200	23	1.63	48	1.57	78	0.95	23	1.63	26	1.87	34	2.02
200	200	37	4.25	77	3.33	114	2.14	37	4.25	42	5.01	53	5.61
500	200	54	21.54	96	12.36	146	10.78	54	21.54	56	22.34	62	23.24
1000	200	70	100.4	145	43.01	197	39.77	70	100.4	81	105.34	98	106.11
100	500	28	8.27	50	9.78	89	4.72	28	8.27	33	8.77	43	9.07
200	500	45	17.64	91	16.41	156	9.39	45	17.64	50	18.13	65	18.55
500	500	67	75.23	141	49.92	224	33.57	67	75.23	74	76.02	87	76.93
1000	500	89	334.98	207	163.96	304	115.50	89	334.98	99	335.44	115	336.01
100	1000	31	33.84	60	47.46	109	10.09	31	33.84	35	34.11	47	34.89
200	1000	53	62.47	100	70.63	180	33.43	53	62.47	58	62.88	68	63.56
500	1000	78	248.87	175	174.30	282	100.21	78	248.87	87	249.19	103	250.17
1000	1000	113	1052.78	218	695.67	335	452.52	113	1052.78	126	1053.11	155	1053.88

.

Table 18 shows that, for both methods, as the number of users and objects increases, the number of rules increases slightly, while the execution time increases more clearly whenever |Partitions| is equal to 1, 2, or 4, which is consistent with the experimental analyses shown in Figure 3 and Figure 4. Second, as the number of partitions increases, the number of rules increases clearly, while the execution time decreases in VisMAP; however, both the number of rules and the execution time increase slightly in PEO_VR&SOD. Specifically, when the number of users and objects is fixed at 1000 and 100, respectively, for the former, the number of rules varies from 47 to 197 with an increase of more than 300%, while the time varies from 43.28 to 10.92 with a decrease of more than 75%; for the latter, the number of rules increases from 47 to 74, and the time increases from 43.28 to 44.17. This is attributed to the fact that the original matrix in VisMAP is separated into several partitions before policy mining and spends little time on the small datasets. However, the rearranged matrix is separated during mining and spends more time with the number of partitions according to Algorithm 2. Although VisMAP outperforms PEO_VR&SOD for execution time, the number of rules using our proposal is less than that of VisMAP, and the overhead in time for PEO_VR&SOD is minimal compared to the benefit of the number of the mining rules.

In the above evaluations, we implement the experiments for VisMAP and PEO_VR&SOD with the same experimental setups: the number of users and objects varies while keeping the number of their attributes and attribute values constant. However, there are other properties, such as the length and size of authorization rules, need to be considered for evaluating the performance of Xu-Stoller. Furthermore, no partition exists in Xu-Stoller. Therefore, Xu–Stoller will not outperform VisMAP or PEO_VR&SOD for execution time on the same datasets.

5.3. Performance Comparison with Xu-Stoller on Synthetic Datasets

To further evaluate the efficiency of our method, we construct synthetic datasets and consider a similar setup of parameters to that used in Xu-Stoller. These parameters involve the number of users (|U|), the number of objects (|O|), the number of attribute-value pairs of users (|UAV|), the number of attribute-value pairs of objects (|OAV|), the maximum number of rules used to construct the datasets (|RC|), and the maximum length of any mining rule (|RL|). In addition, to fairly and effectively compare the performance of PEO_VR&SOD and Xu–Stoller, we convert our constructed datasets into data formats in which Xu–Stoller can be executed. We assume that each constructed authorization includes a single permission because any rule in our policy engineering system involves only one operation.

To study the effect of different parameters on the mining results, we consider three scenarios: (1) |UAV| and |OAV| vary from 20 to 40 with a step of 5, (2) |RC| varies from 20 to 50 with a step of 5, and (3) |RL| varies from 2 to 5 with a step of 1. One parameter varies while keeping the others constant when any scenario happens. Since the effect of variations in users or objects is considered (as shown in Figure 3 and Figure 4), the values of |U| and |O| are fixed at 1000 and 100, respectively, in the following. The descriptions of the datasets and their parameters are shown in the first six columns in

Table 19. Comparison of rules with Xu-Stoller for different parameters.

|U|	|O|	|UAV|	|OAV|	|RCmax|	|RLmax|	|PXu-Stoller|	|PPEO_VR&SOD|
1000	100	20	20	30	5	27	26.31
1000	100	25	25	30	5	25.67	25.67
1000	100	30	30	30	5	26.67	25.11
1000	100	35	35	30	5	26.67	25.37
1000	100	40	40	30	5	27.53	26.89
1000	100	25	25	20	5	17.67	17.53
1000	100	25	25	40	5	36	35.31
1000	100	25	25	50	5	43	42.83
1000	100	25	25	30	4	25.67	25.39
1000	100	25	25	30	3	24.67	24.64
1000	100	25	25	30	2	24	24

. We repeatedly implement the experiments 10 times on different datasets and take the median value. The number of the mining rules for the proposed algorithm (|P_{PEO_VR&SOD}|) and that of Xu-Stoller (|P_Xu-Stoller|) are presented in the last two columns of the table. Table 19 shows that, for all these datasets, both PEO_VR&SOD and Xu–Stoller discover almost the same number of rules, which is less than the maximum number of rules used to construct the datasets.

Moreover, we compare the average execution time with that of Xu–Stoller in Figure 5, Figure 6 and Figure 7 with error bars, where the lateral axis represents the varying values of different parameters, and the vertical axis represents changes in execution time.

These figures show that, for PEO_VR&SOD, the execution time tends to grow linearly and does not obviously vary as the number of attributes values, the value of |RC|, and/or the value of |RL| vary. However, for Xu–Stoller, Figure 5 demonstrates that the execution time first increases exponentially and then decreases gradually with an increasing number of attribute values. Specifically, the time increases remarkably from around 33 s to around 8000 s when the number of attribute values varies from 20 to 30 and then decreases gradually to around 7000 s when the value is close to 40. Further, the time required in our method is below 100 s for any case, while Xu-Stoller requires significantly more time with an increasing number of attribute values. PEO_VR&SOD runs faster than Xu-Stoller because the former eliminates the redundant attributes from each candidate rule, as shown in Lines 22–29 of Algorithm 2, while the latter takes more time in the generalization step while eliminating attribute expressions with constraints. Figure 6 and Figure 7 demonstrate that the execution time irregularly fluctuates up and down with increasing values of |RC| and |RL|. Detailed analyses are not discussed in this paper, similar to the analyses in [27]. Thus, PEO_VR&SOD outperforms Xu–Stoller on these datasets.

In the above evaluations, we implement the experiments for Xu-Stoller and PEO_VR&SOD with the same experimental setups: considering not only the varying number of users and objects as well as that of their attributes, but also number of rules used to construct the datasets and the maximum length of any mining rule. However, we do not need to consider all of these setups for VisMAP on the same datasets. Therefore, VisMAP will outperform Xu–Stoller as well as PEO_VR&SOD for execution time on the same datasets.

5.4. Performance Evaluation of Enforcement of SOD Constraints

To evaluate the effectiveness of PEO_VR&SOD, we study the performance of enforcing SOD constraints in the policy optimization stage, which can be converted into a study on the effects of enforcing MEAR constraints. We also employed real datasets (as shown in Table 17) that were used to construct an ABAC system in the policy mining stage. Further, the SOD constraints were synthetically constructed similar to the examples in this paper, such as the 3–5 SOD constraints. Moreover, the Rel-SAT model counter [37] is used for constructing the SOAR constraints. As shown by Definition 8 and Statement 2, the verification of the MEAR constraints is primarily affected by the number of users, as well as that of the rules. Therefore, we implemented experiments in datasets where the number of users varies from 20 to 50 with a step of 10, and the number of rules varies from 5 to 20 with a step of 5. The execution time for verification with a varying number of users and rules is shown in Figure 8.

Figure 8 shows that the execution time tends to grow linearly and does not obviously vary with an increasing number of users for each specific policy configuration. However, when the number of users remains constant, the time varies clearly with a varying number of rules. Specifically, for 10 rules, the time always remains around 0.02 s as the number of users varies, while for 30 users, the time varies from around 0.02 to 0.04 as the number of rules varies. This occurs because the more rules there are, the larger the size of the set of SOAR constraints constructed by the Rel-SAT model counter will be, and the greater the number of MEAR constraints that will be generated using Algorithm 3. Obviously, the total time for the verification of MEAR constraints increases with an increasing number of constraints.

5.5. Discussions

From the above analyses, we present some discussions in the following:

(1) For the sake of brevity, we do not consider the environments, such as time and locations. However, consideration of time factor in the constrained policy engineering is also an interesting topic. Take the dynamic SOD for example, the k-n dynamic SOD can be modified as dsod < {t₁, t₂, …, t_i …, t_n}, k, [bt, et]>, where [bt, et] is a time interval. It states that the enforcement of the SOD constraint is valid from bt to et. Similarly, both the authorization set and rule set also need to be modified with time intervals.

(2) Figure 3 and Figure 4 aim to demonstrate the performance of our method with different number of users and objects, and the result is consistent with the analysis of the computational complexity of Algorithm 2. In fact, VisMAP and Xu–Stoller have the similar performance, which have been presented in the state-of-the-art literatures and also can be observed from Table 18 and Table 19. Thus, we do not make the similar figures for VisMAP and Xu-Stoller in our work.

(3) Figure 5, Figure 6 and Figure 7 demonstrate variations of execution time for Xu-Stoller with different number of attribute-value pairs of users and objects, different maximum number of rules used to construct the datasets, and different maximum length of any mining rule, respectively. However, these attribute properties are constant for the evaluation of VisMAP, and thus we do not make the same type of graphs for VisMAP.

(4) Although PEO_VR&SOD performs better for mining optimal sets of rules in the above real and synthetic datasets, Either VisMAP or Xu-Stoller does well for some scenarios, and the corresponding synthetic datasets are more appropriate for efficiency evaluations of VisMAP or Xu-Stoller. Specifically, it is observed from Table 18 that, VisMAP outperforms PEO_VR&SOD for execution time with the increasing number of partitions. From Figure 7, the number of users and objects are fixed at 1000 and 100, respectively. Xu–Stoller also outperforms PEO_VR&SOD when the maximum length of any mining rule takes varies of 2 and 3.

6. Conclusions

A novel method for policy-engineering optimization called PEO_VR&SOD was proposed in this paper. We first used the visual technique with Hamming distance to reduce the policy-mining scale and presented the policy mining algorithm. Then, we used the method of SAT-based model counting to convert the SOD constraints into the corresponding SOAR constraints and constructed MEAR constraints to implicitly enforce the SOAR constraints in the constructed policy-engineering system. As a result, the proposed method can successfully address the stated problems of enhancing interpretability while mining a minimal set of rules and implicitly enforcing SOD constraints in a constructed ABAC system. The experiments demonstrated that the proposed method is efficient and effective. However, a few interesting issues remain to be solved. One issue is how to implement PEO_VR&SOD in systems such as blockchains, wireless sensor networks, and the internet of things. Another issue is how to implement cardinality constraints for policy-engineering optimizations in future work.