Policy-Engineering Optimization with Visual Representation and Separation-of-Duty Constraints in Attribute-Based Access Control

: Recently, attribute-based access control (ABAC) has received increasingly more attention and has emerged as the desired access control mechanism for many organizations because of its ﬂexibility and scalability for authorization management, as well as its security policies, such as separation-of-duty constraints and mutually exclusive constraints. Policy-engineering technology is an e ﬀ ective approach for the construction of ABAC systems. However, most conventional methods lack interpretability, and their constructing processes are complex. Furthermore, they do not consider the separation-of-duty constraints. To address these issues in ABAC, this paper proposes a novel method called policy engineering optimization with visual representation and separation of duty constraints (PEO_VR&SOD). First, to enhance interpretability while mining a minimal set of rules, we use the visual technique with Hamming distance to reduce the policy mining scale and present a policy mining algorithm. Second, to verify whether the separation of duty constraints can be satisﬁed in a constructed policy engineering system, we use the method of SAT-based model counting to reduce the constraints and construct mutually exclusive constraints to implicitly enforce the given separation of duty constraints. The experiments demonstrate the e ﬃ ciency and e ﬀ ectiveness of the proposed method and show encouraging results.


Introduction
With the rapid development and comprehensive application of network information technology, there is a large amount of storage required and many exchanges in large-scale and complex information-management systems [1]. Organizations adopt access control mechanisms to ensure the system security, and the role-based access control (RBAC) mechanism has been the main standard for most organizations over the last three decades. However, there is only one role attribute in RBAC systems on which users and objects can depend. The RBAC mechanism is identity-dependent and lacks flexibility, particularly in large-scale collaborative environments. As an alternative, attribute-based access control (ABAC) has been developed recently. In ABAC, a request for accessing any resource is permitted or denied based on the attributes assigned to the requesting user, the attributes assigned to the requested object, the environment condition where the request is made, and an authorization policy [2]. An ABAC policy is a set of authorization rules that includes various combinations of attribute-value pairs of users, objects, and environments, as well as operating privileges. If a user makes a request to access an object, an authorization rule to satisfy the access request is sought. Its flexibility, scalability, and identity-less properties overcome the limitations of RBAC, and make ABAC very attractive for The rest of the paper is organized as follows. We discuss the related work in Section 2 and present some preliminaries that are discussed in the following sections in Section 3. Section 4 proposes a novel method for policy engineering optimization, which involves two aspects: (1) policy mining with visual representation and (2) policy optimization with separation of duty constraints. We present experimental evaluations and compare their performance with existing studies in Section 5. Section 6 concludes the paper and discusses future work.

Research on Policy Engineering in ABAC
Various methods have been proposed for ABAC policy engineering. Depending on whether minimizing the number of mining rules is considered an optimized objective, existing studies mainly fall into the following two categories: general policy engineering and optimized policy engineering.
To avoid the potential risks of permitting unauthorized accesses, Krautsevich et al. [14] presented a risk based ABAC policy engineering problem that assessed the potential risk for each possible access while minimizing the total risk in the ABAC system. Biswas et al. [15] proposed a label based ABAC model using the method of enumeration for the construction of ABAC policies, each of which included only one user attribute and one object attribute. Narouei et al. [6] proposed a top-down ABAC policy engineering framework using a deep recurrent neural network, which derived authorization rules from unrestricted natural language documents. Iyer et al. [16] presented a novel method for ABAC policy mining to construct positive and negative authorization rules. Das et al. [17] proposed a hybrid approach for policy engineering in ABAC, which first used a top-down approach and then used a bottom-up approach to construct authorization rules. Although existing approaches are capable of constructing ABAC policies, the number of attribute-value pairs in any constructed rule is also critical. The time needed for access decisions increases with an increasing number of attribute-value pairs included in any rule. To improve the efficiency of the mining process, Gautam et al. [18] regarded the number of attributes included in any rule as a weight and presented a constrained policy mining algorithm in ABAC that constructed a set of authorization rules from an access control matrix, such that the weight of each rule was less than a specified value, and the sum of the total weights of the rules was minimized.
To discover an optimal set of ABAC rules from conventional access modes, Das et al. [19] presented an ABAC policy mining algorithm that included environmental attributes that used the Gini impurity to form an ABAC policy while minimizing the number of rules. Talukdar et al. [20] showed that the policy-mining problem is equivalent to identifying a set of functional dependencies in relational databases. The authors first proposed an ABAC policy mining algorithm called ABAC-FDM. Although this algorithm identified all the potential rules, the complexity of the algorithm was exponential. As an alternative, the authors next proposed another more efficient mining algorithm called ABAC-SRM, which discovered a suitable and minimal set of rules from candidate rules. To obtain a minimal set of ABAC rules in multi-cloud collaborations, John et al. [21] defined a cross-domain rule-mining problem called CDRMP that was proven to be NP hard and provided a heuristic solution. They also defined a cross-domain rule-mining problem with access relaxations under dynamic collaborations [22] called β-CDRMP and DCDRMP and presented the heuristic solutions for mining minimal sets of authorization rules. Besides mining positive rules in the cross domain, John et al. [23] considered the mining of negative rules from a given set of multi-cloud access requests, thereby defining a novel problem called CDRMP-H, and presented a solution to further reduce the number of mining rules, including the positive and the negative.

Research on Constraints in ABAC
Various studies have focused on specifying constraints in ABAC systems. Jin et al. [24] proposed a unified model called ABACα that could configure three classical models. They also presented a policy specification language that specified constraints on attribute-assignment relationships. Bijon et al. [25] proposed an attribute-based constraint specification language (ABCL) for specifying a variety of constraints. The ABCL was used to specify constraints on a single attribute or on multiple attributes of a particular entity. Although the constraints in ABACα were event-dependent, the constraints in ABCL were uniformly enforced no matter which attribute assignment was changed. Helil et al. [26] first examined the potential relationships between subjects and objects and then proposed an attribute-based access control constraint based on subject similarity. Jha et al. [27] presented a specification and verification of the SoD constraints in ABAC systems, analyzed the complexity of enforcing the SOD constraints and proposed an approach for solving them. Roy et al. [12] presented an employee replacement problem (ERP) in ABAC, in which the SOD constraints, BOD constraints, and UC constraints were simultaneously taken into consideration. The authors also provided a solution for verifying whether a particular subset of users in an ABAC system could be replaced with a smaller set of users while satisfying different types of constraints. Additionally, Alohaly et al. [28] proposed an automated framework to extract the ABAC constraints from natural language policies.

Research on Visual Representation for Access Information
Several techniques have been proposed for the visual representation of access information in a matrix form. To reduce the complexity of role-mining problems, Colantonio et al. [29] divided the user-permission-assignment dataset into several subsets and proposed a visual method for role mining. To reduce the mining scale, Verde et al. [30] converted role mining into a clustering problem, which compressed the division into a single sample, visually extracted similar features from multiple divisions, and ensured the integrity of the mining results. To facilitate the visual elucidation of access control matrices, Das et al. [31] introduced a novel method called visual mining of ABAC polices (VisMAP), which derived rules from the visual representation for a given authorization matrix while minimizing the number of rules. To enhance interpretability of the role-mining process, a novel method for role optimization is proposed in our work [1], which uses partitioning and compressing technologies to validate the accuracy of the method. Zheng et al. [32] provided a concrete example to visually specify ABAC rules and proposed a novel approach for detecting conflicts by transforming rules into a set of binary sequences.

Characteristics of Our Work
Two main limitations are apparent in the existing studies. The first limitation is that the policy mining scale is very large, and the mining process itself is confusing, complex, and lacks interpretability. The second limitation is that most existing policy engineering methods do not consider the SOD constraints, though various studies on different types of constraints in ABAC have been developed and assume that ABAC systems already exist in advance. However, in many cases, the systems are completely unknown and need to be constructed. Hence, in this work, we propose a novel policy engineering method (PEO_VR&SOD) with two main characteristics: (1) Visual representation technique with Hamming distance is used to reduce the policy-mining scale and enhance interpretability, and (2) the enforcement of SOD constraints is taken into consideration in the policy optimization. We also compare the performance of the PEO_VR&SOD with that of the existing methods through experiments.

Basic Components of ABAC
According to the NIST standard for ABAC systems [33], we present the basic components of ABAC as follows: (1) U represents a finite set of requesting users. Each element of the set is denoted as u i , where 1 ≤ i ≤ |U|.
(2) O represents a finite set of requested objects. Each element of the set is denoted as o i , where 1 ≤ i ≤ |O|.
(3) OP represents a finite set of the operations allowed to be performed on the objects in an ABAC system. Each element of the set is denoted as op i , where 1 ≤ i ≤ |OP|. For instance, if there are only two operations allowed in a system: read and write, then we represent OP = {read, write}. (4) E represents a finite set of environments in which authorizations are made, such as time and locations. These authorizations are independent of users and objects. Each element of the set is denoted as e i , where 1 ≤ i ≤ |E|. (5) UA represents a finite set of attribute names of users. Each element of the set is denoted as ua i , where 1 ≤ i ≤ |UA|. User attribute ua i can associate several values. If we use Val ua i to represent the one-to-many mapping of ua i onto a set of attribute values, it can be formalized as: UUAV ⊆ U × UAV represents a many-to-many assignment of users to their attribute name-value pairs. It can be formalized as: (8) OA represents a finite set of attribute names of objects. Each element of the set is denoted as oa i , where 1 ≤ i ≤ |OA|. The object attribute oa i is also associated with several values. If we use Val oa i to represent the one-to-many mapping of oa i onto a set of attribute values, it can be formalized as: where null indicates that the corresponding attribute values of the object is unknown or uncertain. For instance, object attribute Department in a hospital can take values of Cardiology, Dermatology, and Gynecology, and then we represent Val Department = {Cardiology, Dermatology, Gynecology}. pairs. It can be formalized as: For the sake of brevity, we assume that environments are irrelevant to policy engineering in an ABAC system and thus do not consider the environmental factors in this paper.

Basic Policy-Mining Problem in ABAC
Besides the basic components of ABAC, the other components involved in traditional ABAC policy mining [20] can be presented as follows: (1) A represents a set of all possible authorizations that occur in an ABAC system. Each element of the set is represented as a = <u,o,op>, which allows user u to perform operation op on object o, where u ∈ U, o ∈ O, op ∈ OP. (2) P represents an ABAC policy, which is also referred to as a set of authorization rules AR.
For the sake of simplicity, assume that any rule ar comprises only one operation, and ar is simply represented as <UAV', OAV', op>. Figure 1 presents the factors influencing the access decisions in ABAC, where single arrow heads represent which factors influence the access decisions and double arrow heads represent the one-to-many or many-to-many mappings between these influencing factors and other components of ABAC.  The basic ABAC policy-mining problem [21][22][23], in terms of the above elements, states that, given a set of authorizations A = {a1,a2,…}, a mapping list UUAV and a mapping list OOAV must find a set AR of authorization rules that can cover all the authorizations in A. Specifically, for any authorization a = <u,o,op>, user u can perform operation op on object o if and only if some combination of several attribute-value pairs of u in the UUAV, as well as those of o in the OOAV, can match a rule with op in AR. Furthermore, the number of mining rules is minimized.

Enforcement of SOD Constraints in ABAC
The SOD constraint includes static SOD and dynamic SOD. In this paper, we only consider the former, as we do not deal with environmental attributes, such as time and locations, and instead simply such attributes as SOD. The k-n SOD constraint [13] is expressed as sod < {t1, t2, …, ti…, tn}, k >, where n and k are integers, such that 2 ≤ k ≤ n. Each ti is an access permission that is represented as a We represent the set of such sod constraints as ω = {sod1, The basic ABAC policy-mining problem [21][22][23], in terms of the above elements, states that, given a set of authorizations A = {a 1 ,a 2 , . . . }, a mapping list UUAV and a mapping list OOAV must find a set AR of authorization rules that can cover all the authorizations in A. Specifically, for any authorization a = <u,o,op>, user u can perform operation op on object o if and only if some combination of several attribute-value pairs of u in the UUAV, as well as those of o in the OOAV, can match a rule with op in AR. Furthermore, the number of mining rules is minimized.

Enforcement of SOD Constraints in ABAC
The SOD constraint includes static SOD and dynamic SOD. In this paper, we only consider the former, as we do not deal with environmental attributes, such as time and locations, and instead simply such attributes as SOD. The k-n SOD constraint [13] is expressed as sod < {t 1 , t 2 , . . . , t i . . . , t n }, k >, where n and k are integers, such that 2 ≤ k ≤ n. Each t i is an access permission that is represented as a 2-tuple form (op, o), where op ∈ OP, o ∈ O. We represent the set of such sod constraints as ω= {sod 1 , sod 2 , . . . }.
To cover all the access tuples in a k-n SOD constraint, the authorization rules can be used as a substitute for the tuple. Similar to the k-n SOD constraint, the k-n SOAR constraint [13] is expressed as soar < {ar 1 , ar 2 , . . . ar n }, k>, where each ar i is an authorization rule, and n and k are integers, such that 2 ≤ k ≤ n. We represent the set of such soar constraints as ξ = {soar 1 , soar 2 , . . . }.
MEAR constraints can be used to enforce SOAR constraints. The t-m MEAR constraint mear < {ar 1 , ar 2 , . . . ar m }, t > [13] conveys that, for the given m rules ar 1 , ar 2 , . . . ar m in an ABAC system, no user is allowed to have t or more of these m rules, where each ar i is an authorization rule, and m and t are integers, such that 2 ≤ t ≤ m. We represent the set of such mear constraints as ψ = {mear 1 , mear 2 , . . . }.

Hamming Distance
Since the authorization list for some operations is a Boolean matrix, each row (or each column) can be regarded as a binary vector of the same length. The well-known Hamming distance [34], which is widely used to measure the distance between two different equal-length vectors, can identify clusters of the same (or similar) use-object pairs. Hamming distance states that, given two equal-length Boolean vectors x and y, the Hamming distance between x and y, denoted as Dis(x, y), is the number of positions where the vectors take different values for the same column position.
For instance, given two row vectors, x = "100110" and y = "110011", Dis(x, y) = 3. Clearly, the distance between any two rows in A op increases with an increasing number of column positions that take different values.

SAT-Based Model Counting
The well-known SAT solver [35,36] is commonly used to solve the model counting problem. An instance of the SAT-based model counting problem is a Boolean formula made up of different clauses. Each clause is a disjunctive or conjunctive form of Boolean variables. A Boolean formula, which can be expressed using the conjunction or disjunction of different clauses, is categorized into the conjunctive normal form (CNF) and the disjunctive normal form (DNF). Clearly, there are different truth assignments for a Boolean formula. Essentially, the model counting problem is to find truth assignments for a specific Boolean formula.

Proposed Method
In this section, we propose a novel method called PEO_VR&SOD, which includes two aspects: (1) ABAC policy mining with visual representation and (2) policy optimization with separation-of-duty constraints. Its flow chart is presented in Figure 2.
As shown in the figure, to reduce the mining scale and enhance the interpretability of policy mining, we adopt the visual technique with Hamming distance to rearrange, portray and partition an original authorization matrix, and discover a minimal set of authorization rules from rearranged submatrices. Subsequently, we utilize the method of SAT-based model counting to verify whether the separation of duty constraints can be satisfied in the constructed ABAC system. separation-of-duty constraints. Its flow chart is presented in Figure 2.
As shown in the figure, to reduce the mining scale and enhance the interpretability of policy mining, we adopt the visual technique with Hamming distance to rearrange, portray and partition an original authorization matrix, and discover a minimal set of authorization rules from rearranged submatrices. Subsequently, we utilize the method of SAT-based model counting to verify whether the separation of duty constraints can be satisfied in the constructed ABAC system.
To satisfy basic policy mining, we construct an extensive users-objects-operations relationship for a given set of authorizations A. This relationship can be equivalently denoted as a constructed matrix UOP A , which is a generalized Cartesian product of the matrix UUA A and the matrix OOA A for the requesting users and requested objects, respectively. The rows of UOP A correspond to all the possible user-object pairs, and the columns correspond to the attribute-value pairs of the users and objects, as well as the operations in A.

Example 1.
Given an authorization list A, a matrix UUA A of the attribute value assignments for users, and a matrix OOA A of the attribute value assignments for objects in Tables 1-3, respectively, then, the matrix UOP A can be constructed as in Table 4, where the notations uav and oav represent the attribute values of users and objects, respectively.

User
Object Operation To mine suitable authorization rules from the constructed matrix UOP, we need to find the attribute-value pairs for users and objects, such that the values of their corresponding cells in one row are 1, as is the value of the operation cell. Meanwhile, there is not any row where the value of the operation cell is 0 while retaining the values of the cells as 1 for the same attribute-value pairs. The various combinations of different attribute-value pairs that meet the requirements are referred to as the ABAC authorization rules, the number of which needs to be minimum.
In other words, our method involves finding the minimal set of rules from the UOP that can cover all the rows with the operation columns having values of 1. Meanwhile, the different attribute-value pairs in the set do not present in any row with the operation column containing a value of 0.
To find a suitable and minimal set of rules, we present two guiding principles as follows: (1) Principle 1: Assume that k 1 and k 2 are two different combinations of attribute-value pairs included in rules ar 1 and ar 2 , respectively. If k 1 ⊆ k 2 (that is, the number of attribute-value pairs in k 2 is greater than that in k 1 ), then the authorizations covered by k 2 can also be covered by k 1 ; moreover, k 2 is more restricted than k 1 . The authorizations covered by rule ar increase in number as the number of attribute-value pairs in ar decreases. Thus, we should choose short-length rules for the number of attribute-value pairs in any rule. (2) Principle 2: To discover a minimal set of rules while ensuring a short length in any rule, we decompose the UOP into two submatrices that consist of operation columns with values of 1 and 0. We denote these columns as UOP op=1 and UOP op=0 and sort UOP op=1 in ascending order according to the number of values of 1 in any row. We attempt to mine rules to cover all the authorizations corresponding to UOP op=1 .
However, the constructed UOP becomes much more confusing and complex as the number of user-object pairs increases. In other words, it is difficult to analyze and identify the authorization rules from such a representation. Therefore, we need to find an alternative for the list of authorizations to further facilitate policy mining while making the authorization representation more visually appealing and understandable.

Definition 3. (A op ) Represents the Boolean matrix form for a list of authorizations A with operation op,
where the rows correspond to users, and the columns correspond to objects. This can be represented as follows: Example 2. An illustrative ABAC authorization matrix A op is shown in Table 5, which includes 10 users and 10 objects. An equivalently rearranged matrix A op ' is presented in Table 6. We only mark the cells whose values are 1 for an intuitive representation. Obviously, it is more convenient to analyze and handle A op ', which provides a motivation for functionally representing A op .
To visually represent the authorization matrix, we use the Hamming distance to rearrange it as defined below.

Definition 4. (Visual representation problem for authorizations) Given an authorization matrix A op , and a
Hamming distance list D between any two rows of A op , find a rearranged matrix A op ' such that: (1) The sum of distances between the adjacent rows of A op ' is minimum, and (2) the submatrices {s 1 , s 2 , . . . } are intuitively included in A op ' while covering all the cells with values of 1, which can be formalized as follows: According to Definition 5, we present the process of matrix rearrangement in Algorithm 1.
The distance matrix D r for the original matrix in Table 5 is shown in Table 7, where both the rows and columns correspond to the row vectors, and the values of cells are the Hamming distances between any two rows. According to Algorithm 1, the same (or similar) row vectors are clustered by choosing the minimal distances. Similarly, we can also rearrange A op ' to cluster the same (or similar) column vectors. These clusters of rows and columns then form a submatrix, and several such submatrices together cover all the cells of [8], A op ' [2] with A op ' [9], and A op ' [6] with A op ' [7], respectively, and the result in step 1 is shown in Table 8 [8], A op ' [9], A op ' [3], A op ' [4]}. Subsequently, we implement the rearrangement towards the column vectors. Since D c [4][7] = D c [4][8] = 0, we swap the corresponding columns in step 2, and the result is shown in Table 9. Similarly, we swap the second column with the ninth column in step 3, and the result is shown in Table 10. According to the minimal distances between the adjacent columns, we swap the first column with the eighth column in step 4, and the result is shown in Table 11, which is consistent with the visual representation in Table 6. Table 7. Distance matrix D r . Table 8.
Step 4 for rearrangement.

Policy Mining
In this subsection, we take the rearranged authorization matrix A op ' and the matrices UUA and OOA as inputs and present the process of policy mining in Algorithm 2.
In Algorithm 2, we first partition the rearranged matrix into k small matrices according to the number of submatrices in Lines 1-3, Line 4 defines three sets of rules, Initial_rules, Uninitial_rules, and Candidate_rules, and initializes them. From Line 5, we start to mine the rules in each submatrix. Next, in Lines 9-21, we use double loops for the sets Candidate_rules and Initial_rules to choose the short-length rules that are not present in Uninitial_rules and consider them as candidate rules. To further simplify the rules in set Candidate_rules, we estimate whether the length of any rule (that is, the number of attribute-value pairs) can be reduced in the last few lines. As shown in Table 11, three submatrices (<{u 8 ,u 9 ,u 3 ,u 4 }, {o 3 ,o 4 ,o 7 ,o 8 }>, <{u 5 ,u 7 }, {o 6 ,o 1 }>, and <{u 1 ,u 2 ,u 6 ,u 10 }, {o 1 ,o 2 ,o 10 }>), which separate the rearranged matrix into three partitions, are visually appealing. It is more convenient and feasible to derive rules from each small partition, and the detailed mining processes are omitted owing to the limited space. if (ar is not null)∧(ar ⊆ ar') then 12.
if (ar∩ar') Uninitial_rules then/*authorizations covered by both ar and ar' are allowed*/ 15. Computational complexity: Choosing suitable rules mainly depends on the double loops in Lines 9-21 and the estimation operations in Lines 22-29. Assume that the number of submatrices is k and that the number of rows with operation columns containing values of 1 in each submatrix A op ' i is x; then, the total execution time of the algorithm is O(k × (x 2 × (|A op ' I − x|) + x 2 )), which is influenced by the number of partitions and the size of each submatrix.

Policy Optimization with Separation-of-Duty Constraints
First, we present three status functions among users, authorization rules, and access tuples of the SOD constraint, defined as follows.

Definition 5. (Status functions)
(1) user_rules γ (u) represents a set of authorization rules that allows user u to perform operations on objects under the system status γ; (2) tuple_rules γ (t) represents a set of authorization rules that allows access to tuple t for a given SOD constraint under the system status γ; (3) user_tuples γ (u) represents a set of tuples of a given SOD constraint that is authorized to user u under the system status γ. It can be formalized as user_tuples γ (u) = t ∃ar ∈ user_rules γ (u) : ar ∈ tuple_rules γ (t) .
To demonstrate whether the SOD constraints can be satisfied, the different status functions in Definition 6 are used in the following example.
Example 3. Given a constructed ABAC system status γ, where the rules associated with each user are shown in Table 12. Consider a set of SOD constraints ω = {sod 1 , sod 2 }, where sod 1 = <{t 1 , t 2 , t 3 }, 2> and sod 2 = <{t 4 , t 5 , t 6 }, 3>. The rules that are allowed to access any tuple with respect to sod 1 and sod 2 are presented inTables 13 and 14, respectively.  According to sod 1 and Table 13, at least two users are required to collaborate and together have t 1 , t 2 , and t 3 , and all these access tuples can be done using either the rules ar 1 , ar 3, and ar 7 or the rules ar 2 , ar 3, and ar 7 . In other words, no user can own these three rules at the same time. Table 8 shows that sod 1 can be satisfied under γ. Similarly, according to sod 2 and Table 14, any two users cannot own rules ar 1 , ar 3 , and ar 5 at the same time. Table 12 demonstrates, however, that users u 1 and u 2 can access all the tuples of sod 2 through these three rules. Hence, sod 2 cannot be satisfied under γ. Therefore, immediately enforcing SOD constraints in ABAC systems appears to be intractable.
Reducing the problem of verifying SOD constraints in an ABAC system into the construction of MEAR constraints includes two phases: (1) Converting k-n SOD constraints into k-n SOAR constraints and (2) constructing t-m MEAR constraints from k-n SOAR constraints.

Construction of k-n SOAR Constraints from k-n SOD Constraints
Given a constructed rule set AR and a specific SOD constraint <{t 1 , t 2 , . . . , t n }, k> under system status γ, we convert the input instance (<{t 1 , t 2 , . . . , t n }, k>, AR) into an intermediate form according to the following steps: Step 1. For each access tuple t i in the constraint, we identify set tuple_rules γ (t i ) as a substitute for t i ; Step 2. Replace rule set AR with a union of different set of rules associated with each tuple in the constraint.
Then, the corresponding intermediate form, which is denoted as CIF, can be represented as CI F According to the conversion, two conclusions can be made: (1) The process of the conversion does not take value k of the constraint into consideration because, for each k'-n SOAR constraint constructed, k' takes the value of k in the following process of constructions. (2) AR' in CIF does not contain the rules in (AR\AR') because the rules not in AR' are not relevant to the construction of the SOAR constraints.
A SAT solver takes the formula in CNF as the input parameter for solving the problem, which can identify the total number of different types of such assignments. For the given intermediate form CIF = <{S 1 ,S 2 , . . . S n },AR'>, we next construct a CNF formula F corresponding to CIF through the following steps: Step 1. For each rule ar i in AR', create the corresponding literal variable ar i ; Step 2. For each S i and AR', create the corresponding clause using the disjunction of different literals, which is formalized as ar 1 ∨ ar 2 ∨ . . .; Step 3. Construct a CNF formula using the conjunction of different clauses, which is represented Thus, a set of several different literals that can satisfy a truth assignment for F forms the SOAR constraint, and all sets of such literals form different types of SOAR constraints, where the value of k remains constant.

Construction of t-m MEAR Constraints from k-n SOAR Constraints
In this subsection, we determine how to construct MEAR constraints for the given SOAR constraints. Using the notions of the k-n SOAR constraint and the t-m MEAR constraint, as well as the status function user_rules γ (u) in Definition 6, we can define the safety and satisfiability of the system status as the following. Definition 6. (Safety of the system status, safe soar (γ)) Given an ABAC system status γ and a k-n SOAR constraint soar = <{ar 1 , ar 2 , . . . ar n }, k>, if any set of (k − −1) users cannot have all the n rules under γ, then γ is safe with respect to soar, which is denoted as safe soar (γ) = 1. Otherwise, γ is unsafe with respect to soar, which is denoted as safe soar (γ) = 0. Let the set of different k-n SOAR constraints be ξ = {soar 1 , soar 2 , . . . }; if γ is safe with respect to each soar i , then γ is safe with respect to ξ, which is denoted as safe ξ (γ) = 1. Otherwise, γ is unsafe with respect to ξ, which is denoted as safe ξ (γ) = 0.
The safety of the system status is formally expressed as: The unsafety of the system status is formally expressed as: Definition 7. (Satisfiability of the system status, satisfied mear (γ)) Given an ABAC system status γ and a t-m MEAR constraint mear = <{ar 1 , ar 2 , . . . ar m }, t>, if no user is allowed to have t or more of these m rules under γ, then γ is satisfied with respect to mear, which is denoted as satisfied mear (γ) = 1. Otherwise, γ is unsatisfied with respect to mear, which is denoted as satisfied mear (γ) = 0. Let the set of different t-m MEAR constraints be ψ = {mear 1 , mear 2 , . . . }; if γ is satisfied with respect to each mear i , then γ is satisfied with respect to ψ, which is denoted as satisfied ψ (γ) = 1. Otherwise, γ is unsatisfied with respect to ψ, which is denoted as satisfied ψ (γ) = 0.
The unsatisfiability of the system status is formally expressed as: Statement 1. Given an ABAC system status γ and a set of SOAR constraints ξ = {soar 1 , soar 2 , . . . }, the process for verifying whether γ is safe with respect to ξ is in P.
Proof. We prove this statement through the following three steps: (1) Use status function user_rules γ () and identify user_rules γ (u) for some user u under γ (2). Based on the formal expression in Definition 7, identify the number of the rules in user_rules γ (u) present in any sod, which is represented as s, and (3) compare s with k included in sod. These steps can be readily computed. If |U|,|AR|, and |ξ| are used to represent the total number of users, the number of authorization rules and the number of SOAR constraints under γ, respectively, then the computational complexity for verifying whether safe ξ (γ) is true is O(|U|×|AR|×|ξ|), which is polynomial time. Thus, the verification process for enforcing the SOAR constraints is in P.

Statement 2.
Given an ABAC system status γ and a set ψ of MEAR constraints, the process of verifying whether γ is satisfied with respect to ψ is also in P.
Proof . This verification is similar to that of Theorem 1, so the detailed process is omitted due to limited space. Here, the enforcement of MEAR constraints under γ is also available in polynomial time.
Then, we present an approach for constructing t-m MEAR constraints in Algorithm 3, which takes a k-n SOAR constraint constructed from a k-n SOD constraint as input and outputs a set of MEAR constraints that can implicitly enforce SOAR. Proof . According to Definitions 7 and 8, any user is allowed to have (t − 1) rules at most, and any (k − 1) users are allowed to have (k − 1) × (t − 1) rules at most. We use the method of contradiction to prove this theorem. Without a loss of generality, assume that t = n−1 k−1 + 1 + 1; the k-n SOAR constraint is still satisfied, i.e., the number of rules associated with (k − 1) users is (k − 1) × ( n−1 k−1 + 2 − 1) ≈ n − 1 + k − 1 > n, which breaches the k-n SOAR constraint. Thus, the assumption is false.

Algorithm 3 Construction of t-m MEAR constraints
To further demonstrate the effectiveness of Algorithm 3, we next provide an example to show the construction of MEAR constraints from a given SOD constraint.
The different sets of mears constraints corresponding to each soar according to Algorithm 3 are given in Table 16.

Experimental Evaluations
To evaluate the efficiency and effectiveness of the PEO_VR&SOD, we next implemented experiments using both real and synthetic datasets and compare the performance of PEO_VR&SOD with that of existing methods. All the experiments were carried out on a standard desktop PC with an Intel i5-7400 CPU, 4 GB RAM, and a 160 GB hard disk running a 64-bit Windows 7 operating system. All simulations were compiled and run in Eclipse IDE under the Java Developer environment.

Performance Comparison with the Xu-Stoller and VisMAP in Real Datasets
First, we consider the following real datasets from [10], as shown in Table 17. These datasets have been widely used for research on different methods of ABAC policy mining, such as Xu-Stoller and VisMAP. The first seven columns in the table represent the corresponding dataset name, numbers of users, user attributes, objects, object attributes, number of all possible attribute values for users and objects, and number of authorizations. To evaluate the efficiency of our method in the policy mining stage, we consider the number of authorization rules in the policy and the execution time as evaluation measures. We repeatedly implement the experiments 5 times in the above three datasets, take an average of overall values, and compare the results including |P| and T with the performance of Xu-Stoller and VisMAP in the last columns of Table 17. The number of authorization rules mined using our method is less than that using Xu-Stoller and is equal to that of VisMAP. Meanwhile, in the table, there is almost no difference in execution time for all three methods. This is because there is a small number of users, objects, and authorizations in any real dataset; thus, it is feasible to find suitable rules using Xu-Stoller, though both our method (PEO_VR&SOD) and VisMAP adopt visual representation technology for a given authorization relationship before policy mining. Thus, PEO_VR&SOD performs as well as Xu-Stoller and VisMAP on the small University, Healthcare, and Project Management datasets.

Performance Comparison with VisMAP in Synthetic Datasets
Since it is very difficult to find suitable real datasets, we next construct synthetic datasets with specific parameters, where the number of users varies from 100 to 1000 with a step of 100; the number of objects are 100, 200, 500, and 1000; and the attributes for users and objects randomly take values from the above real datasets. To evaluate the efficiency of PEO_VR&SOD, we take into consideration the number of mining rules and execution time as measures and compare the results with the performance of VisMAP. Additionally, as indicated in Algorithms 1 and 2, we partition the rearranged matrix by visual representations for the original matrix, while VisMAP directly separates an original matrix before rearrangement. If the synthetic datasets constructed are already sufficiently visual, then the authorization matrices need to be neither rearranged nor partitioned. Therefore, we first consider the following cases with no partition.
We repeatedly implement the experiments 10 times in different synthetic datasets and take the average value. The results are shown in Figures 3 and 4. For Figure 3, the lateral axis represents the number of users, and the vertical axis represents the number of rules in the policy. For Figure 4, the lateral axis represents the number of users, and the vertical axis represents the comparison of execution time.
rules using Xu-Stoller, though both our method (PEO_VR&SOD) and VisMAP adopt visual representation technology for a given authorization relationship before policy mining. Thus, PEO_VR&SOD performs as well as Xu-Stoller and VisMAP on the small University, Healthcare, and Project Management datasets.

Performance Comparison with VisMAP in Synthetic Datasets
Since it is very difficult to find suitable real datasets, we next construct synthetic datasets with specific parameters, where the number of users varies from 100 to 1000 with a step of 100; the number of objects are 100, 200, 500, and 1000; and the attributes for users and objects randomly take values from the above real datasets. To evaluate the efficiency of PEO_VR&SOD, we take into consideration the number of mining rules and execution time as measures and compare the results with the performance of VisMAP. Additionally, as indicated in Algorithms 1 and 2, we partition the rearranged matrix by visual representations for the original matrix, while VisMAP directly separates an original matrix before rearrangement. If the synthetic datasets constructed are already sufficiently visual, then the authorization matrices need to be neither rearranged nor partitioned. Therefore, we first consider the following cases with no partition.
We repeatedly implement the experiments 10 times in different synthetic datasets and take the average value. The results are shown in Figures 3 and 4. For Figure 3, the lateral axis represents the number of users, and the vertical axis represents the number of rules in the policy. For Figure 4, the lateral axis represents the number of users, and the vertical axis represents the comparison of execution time.

Performance Comparison with VisMAP in Synthetic Datasets
Since it is very difficult to find suitable real datasets, we next construct synthetic datasets with specific parameters, where the number of users varies from 100 to 1000 with a step of 100; the number of objects are 100, 200, 500, and 1000; and the attributes for users and objects randomly take values from the above real datasets. To evaluate the efficiency of PEO_VR&SOD, we take into consideration the number of mining rules and execution time as measures and compare the results with the performance of VisMAP. Additionally, as indicated in Algorithms 1 and 2, we partition the rearranged matrix by visual representations for the original matrix, while VisMAP directly separates an original matrix before rearrangement. If the synthetic datasets constructed are already sufficiently visual, then the authorization matrices need to be neither rearranged nor partitioned. Therefore, we first consider the following cases with no partition.
We repeatedly implement the experiments 10 times in different synthetic datasets and take the average value. The results are shown in Figures 3 and 4. For Figure 3, the lateral axis represents the number of users, and the vertical axis represents the number of rules in the policy. For Figure 4, the lateral axis represents the number of users, and the vertical axis represents the comparison of execution time.   Figure 3 shows that the number of rules varies with a varying number of users for different numbers of objects. If the number of objects is fixed at 100, and the number of users varies from 100 to 1000, then the number of rules varies from 19 to 47, which increases slightly with an increase in the number of users; however, if the number of objects is fixed at 1000, the number of rules varies from 31 to 113, showing a clear increase. Conversely, if we fix the number of users at 100 and 1000, then the number of rules also increases with an increasing number of both objects and users. Obviously, the varying number of mining rules tends to grow linearly, particularly when the number of objects is small. This is because, the greater the number of users is, the more rules that can be constructed from the mining process. Figure 4 shows that the execution time varies with a varying number of users for different numbers of objects. If the number of objects is less than 500, then the execution time is always below 335 s and tends to grow linearly. However, if the number is greater than 500, then the execution time increases exponentially to around 1100 s with 1000 users and 1000 objects, which is unacceptable. That is attributed to the fact that the dimension of an authorization matrix becomes larger and larger with an increasing number of users and objects, and a large-size matrix requires more time to be rearranged using Algorithm 1.
To demonstrate the interpretability of the mining process, we employ synthetic datasets on which VisMAP has been executed, where the numbers of users and objects are 100, 200, 500, and 1000. In addition, the number of partitions for each rearranged matrix is 1, 2, and 4. We repeatedly implement the experiments 10 times on these synthetic datasets, output the number of rules and the execution time, and take their average values. Comparisons of the results for PEO_VR&SOD and VisMAP are shown in Table 18.  Table 18 shows that, for both methods, as the number of users and objects increases, the number of rules increases slightly, while the execution time increases more clearly whenever |Partitions| is equal to 1, 2, or 4, which is consistent with the experimental analyses shown in Figures 3 and 4. Second, as the number of partitions increases, the number of rules increases clearly, while the execution time decreases in VisMAP; however, both the number of rules and the execution time increase slightly in PEO_VR&SOD. Specifically, when the number of users and objects is fixed at 1000 and 100, respectively, for the former, the number of rules varies from 47 to 197 with an increase of more than 300%, while the time varies from 43.28 to 10.92 with a decrease of more than 75%; for the latter, the number of rules increases from 47 to 74, and the time increases from 43.28 to 44.17. This is attributed to the fact that the original matrix in VisMAP is separated into several partitions before policy mining and spends little time on the small datasets. However, the rearranged matrix is separated during mining and spends more time with the number of partitions according to Algorithm 2. Although VisMAP outperforms PEO_VR&SOD for execution time, the number of rules using our proposal is less than that of VisMAP, and the overhead in time for PEO_VR&SOD is minimal compared to the benefit of the number of the mining rules.
In the above evaluations, we implement the experiments for VisMAP and PEO_VR&SOD with the same experimental setups: the number of users and objects varies while keeping the number of their attributes and attribute values constant. However, there are other properties, such as the length and size of authorization rules, need to be considered for evaluating the performance of Xu-Stoller. Furthermore, no partition exists in Xu-Stoller. Therefore, Xu-Stoller will not outperform VisMAP or PEO_VR&SOD for execution time on the same datasets.

Performance Comparison with Xu-Stoller on Synthetic Datasets
To further evaluate the efficiency of our method, we construct synthetic datasets and consider a similar setup of parameters to that used in Xu-Stoller. These parameters involve the number of users (|U|), the number of objects (|O|), the number of attribute-value pairs of users (|UAV|), the number of attribute-value pairs of objects (|OAV|), the maximum number of rules used to construct the datasets (|RC|), and the maximum length of any mining rule (|RL|). In addition, to fairly and effectively compare the performance of PEO_VR&SOD and Xu-Stoller, we convert our constructed datasets into data formats in which Xu-Stoller can be executed. We assume that each constructed authorization includes a single permission because any rule in our policy engineering system involves only one operation.
To study the effect of different parameters on the mining results, we consider three scenarios: (1) |UAV| and |OAV| vary from 20 to 40 with a step of 5, (2) |RC| varies from 20 to 50 with a step of 5, and (3) |RL| varies from 2 to 5 with a step of 1. One parameter varies while keeping the others constant when any scenario happens. Since the effect of variations in users or objects is considered (as shown in Figures 3 and 4), the values of |U| and |O| are fixed at 1000 and 100, respectively, in the following. The descriptions of the datasets and their parameters are shown in the first six columns in Table 19. We repeatedly implement the experiments 10 times on different datasets and take the median value. The number of the mining rules for the proposed algorithm (|P PEO_VR&SOD |) and that of Xu-Stoller (|P Xu-Stoller |) are presented in the last two columns of the table. Table 19 shows that, for all these datasets, both PEO_VR&SOD and Xu-Stoller discover almost the same number of rules, which is less than the maximum number of rules used to construct the datasets.
Moreover, we compare the average execution time with that of Xu-Stoller in Figures 5-7 with error bars, where the lateral axis represents the varying values of different parameters, and the vertical axis represents changes in execution time.        These figures show that, for PEO_VR&SOD, the execution time tends to grow linearly and does not obviously vary as the number of attributes values, the value of |RC|, and/or the value of |RL| vary. However, for Xu-Stoller, Figure 5 demonstrates that the execution time first increases exponentially and then decreases gradually with an increasing number of attribute values. Specifically, the time increases remarkably from around 33 s to around 8000 s when the number of These figures show that, for PEO_VR&SOD, the execution time tends to grow linearly and does not obviously vary as the number of attributes values, the value of |RC|, and/or the value of |RL| vary. However, for Xu-Stoller, Figure 5 demonstrates that the execution time first increases exponentially and then decreases gradually with an increasing number of attribute values. Specifically, the time increases remarkably from around 33 s to around 8000 s when the number of attribute values varies from 20 to 30 and then decreases gradually to around 7000 s when the value is close to 40. Further, the time required in our method is below 100 s for any case, while Xu-Stoller requires significantly more time with an increasing number of attribute values. PEO_VR&SOD runs faster than Xu-Stoller because the former eliminates the redundant attributes from each candidate rule, as shown in Lines 22-29 of Algorithm 2, while the latter takes more time in the generalization step while eliminating attribute expressions with constraints. Figures 6 and 7 demonstrate that the execution time irregularly fluctuates up and down with increasing values of |RC| and |RL|. Detailed analyses are not discussed in this paper, similar to the analyses in [27]. Thus, PEO_VR&SOD outperforms Xu-Stoller on these datasets.
In the above evaluations, we implement the experiments for Xu-Stoller and PEO_VR&SOD with the same experimental setups: considering not only the varying number of users and objects as well as that of their attributes, but also number of rules used to construct the datasets and the maximum length of any mining rule. However, we do not need to consider all of these setups for VisMAP on the same datasets. Therefore, VisMAP will outperform Xu-Stoller as well as PEO_VR&SOD for execution time on the same datasets.

Performance Evaluation of Enforcement of SOD Constraints
To evaluate the effectiveness of PEO_VR&SOD, we study the performance of enforcing SOD constraints in the policy optimization stage, which can be converted into a study on the effects of enforcing MEAR constraints. We also employed real datasets (as shown in Table 17) that were used to construct an ABAC system in the policy mining stage. Further, the SOD constraints were synthetically constructed similar to the examples in this paper, such as the 3-5 SOD constraints. Moreover, the Rel-SAT model counter [37] is used for constructing the SOAR constraints. As shown by Definition 8 and Statement 2, the verification of the MEAR constraints is primarily affected by the number of users, as well as that of the rules. Therefore, we implemented experiments in datasets where the number of users varies from 20 to 50 with a step of 10, and the number of rules varies from 5 to 20 with a step of 5. The execution time for verification with a varying number of users and rules is shown in Figure 8.
is close to 40. Further, the time required in our method is below 100 s for any case, while Xu-Stoller requires significantly more time with an increasing number of attribute values. PEO_VR&SOD runs faster than Xu-Stoller because the former eliminates the redundant attributes from each candidate rule, as shown in Lines 22-29 of Algorithm 2, while the latter takes more time in the generalization step while eliminating attribute expressions with constraints. Figures 6 and 7 demonstrate that the execution time irregularly fluctuates up and down with increasing values of |RC| and |RL|. Detailed analyses are not discussed in this paper, similar to the analyses in [27]. Thus, PEO_VR&SOD outperforms Xu-Stoller on these datasets.
In the above evaluations, we implement the experiments for Xu-Stoller and PEO_VR&SOD with the same experimental setups: considering not only the varying number of users and objects as well as that of their attributes, but also number of rules used to construct the datasets and the maximum length of any mining rule. However, we do not need to consider all of these setups for VisMAP on the same datasets. Therefore, VisMAP will outperform Xu-Stoller as well as PEO_VR&SOD for execution time on the same datasets.

Performance Evaluation of Enforcement of SOD Constraints
To evaluate the effectiveness of PEO_VR&SOD, we study the performance of enforcing SOD constraints in the policy optimization stage, which can be converted into a study on the effects of enforcing MEAR constraints. We also employed real datasets (as shown in Table 17) that were used to construct an ABAC system in the policy mining stage. Further, the SOD constraints were synthetically constructed similar to the examples in this paper, such as the 3-5 SOD constraints. Moreover, the Rel-SAT model counter [37] is used for constructing the SOAR constraints. As shown by Definition 8 and Statement 2, the verification of the MEAR constraints is primarily affected by the number of users, as well as that of the rules. Therefore, we implemented experiments in datasets where the number of users varies from 20 to 50 with a step of 10, and the number of rules varies from 5 to 20 with a step of 5. The execution time for verification with a varying number of users and rules is shown in Figure 8. Figure 8 shows that the execution time tends to grow linearly and does not obviously vary with an increasing number of users for each specific policy configuration. However, when the number of users remains constant, the time varies clearly with a varying number of rules. Specifically, for 10 rules, the time always remains around 0.02 s as the number of users varies, while for 30 users, the time varies from around 0.02 to 0.04 as the number of rules varies. This occurs because the more rules there are, the larger the size of the set of SOAR constraints constructed by the Rel-SAT model counter will be, and the greater the number of MEAR constraints that will be generated using Algorithm 3. Obviously, the total time for the verification of MEAR constraints increases with an increasing number of constraints.  Figure 8 shows that the execution time tends to grow linearly and does not obviously vary with an increasing number of users for each specific policy configuration. However, when the number of users remains constant, the time varies clearly with a varying number of rules. Specifically, for 10 rules, the time always remains around 0.02 s as the number of users varies, while for 30 users, the time varies from around 0.02 to 0.04 as the number of rules varies. This occurs because the more rules there are, the larger the size of the set of SOAR constraints constructed by the Rel-SAT model counter will be, and the greater the number of MEAR constraints that will be generated using Algorithm 3. Obviously, the total time for the verification of MEAR constraints increases with an increasing number of constraints.

Discussions
From the above analyses, we present some discussions in the following: (1) For the sake of brevity, we do not consider the environments, such as time and locations. However, consideration of time factor in the constrained policy engineering is also an interesting topic. Take the dynamic SOD for example, the k-n dynamic SOD can be modified as dsod < {t 1 , t 2 , . . . , t i . . . , t n }, k, [bt, et]>, where [bt, et] is a time interval. It states that the enforcement of the SOD constraint is valid from bt to et. Similarly, both the authorization set and rule set also need to be modified with time intervals.
(2) Figures 3 and 4 aim to demonstrate the performance of our method with different number of users and objects, and the result is consistent with the analysis of the computational complexity of Algorithm 2. In fact, VisMAP and Xu-Stoller have the similar performance, which have been presented in the state-of-the-art literatures and also can be observed from Tables 18 and 19. Thus, we do not make the similar figures for VisMAP and Xu-Stoller in our work.
(3) Figures 5-7 demonstrate variations of execution time for Xu-Stoller with different number of attribute-value pairs of users and objects, different maximum number of rules used to construct the datasets, and different maximum length of any mining rule, respectively. However, these attribute properties are constant for the evaluation of VisMAP, and thus we do not make the same type of graphs for VisMAP.
(4) Although PEO_VR&SOD performs better for mining optimal sets of rules in the above real and synthetic datasets, Either VisMAP or Xu-Stoller does well for some scenarios, and the corresponding synthetic datasets are more appropriate for efficiency evaluations of VisMAP or Xu-Stoller. Specifically, it is observed from Table 18 that, VisMAP outperforms PEO_VR&SOD for execution time with the increasing number of partitions. From Figure 7, the number of users and objects are fixed at 1000 and 100, respectively. Xu-Stoller also outperforms PEO_VR&SOD when the maximum length of any mining rule takes varies of 2 and 3.

Conclusions
A novel method for policy-engineering optimization called PEO_VR&SOD was proposed in this paper. We first used the visual technique with Hamming distance to reduce the policy-mining scale and presented the policy mining algorithm. Then, we used the method of SAT-based model counting to convert the SOD constraints into the corresponding SOAR constraints and constructed MEAR constraints to implicitly enforce the SOAR constraints in the constructed policy-engineering system. As a result, the proposed method can successfully address the stated problems of enhancing interpretability while mining a minimal set of rules and implicitly enforcing SOD constraints in a constructed ABAC system. The experiments demonstrated that the proposed method is efficient and effective. However, a few interesting issues remain to be solved. One issue is how to implement PEO_VR&SOD in systems such as blockchains, wireless sensor networks, and the internet of things. Another issue is how to implement cardinality constraints for policy-engineering optimizations in future work.