SoK: Access Control Policy Generation from High-level Natural Language Requirements

Abstract

Administrator-centered access control failures can cause data breaches, putting organizations at risk of financial loss and reputation damage. Existing graphical policy configuration tools and automated policy generation frameworks attempt to help administrators configure and generate access control policies by avoiding such failures. However, graphical policy configuration tools are prone to human errors, making them unusable. On the other hand, automated policy generation frameworks are prone to erroneous predictions, making them unreliable. Therefore, to find ways to improve their usability and reliability, we conducted a Systematic Literature Review analyzing 49 publications. The thematic analysis of the publications revealed that graphical policy configuration tools are developed to write and visualize policies manually. Moreover, automated policy generation frameworks are developed using machine learning (ML) and natural language processing (NLP) techniques to automatically generate access control policies from high-level requirement specifications. Despite their utility in the access control domain, limitations of these tools, such as the lack of flexibility, and limitations of frameworks, such as the lack of domain adaptation, negatively affect their usability and reliability, respectively. Our study offers recommendations to address these limitations through real-world applications and recent advancements in the NLP domain, paving the way for future research.