Relationship-based access control (ReBAC) provides a high level of expressiveness and fexibility that promotes security and informa- tion sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which path expressions are used to follow chains of relationships between objects.
ReBAC policy mining algorithms have potential to signifcantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy from an existing access control policy and attribute data. This paper presents an algorithm for mining ReBAC policies from access control lists (ACLs) and attribute data represented as an object model, and an evaluation of the algorithm on four sample policies and two large case studies. It is the frst algorithm for these problems.