An Approach for Handling Missing Attribute Values in Attribute-Based Access Control Policy Mining

Attribute-Based Access Control (ABAC) enables highly expressive and flexible access decisions by considering a wide range of contextual attributes. ABAC policies use logical expressions that combine these attributes, allowing for precise and context-aware control. Algorithms that mine ABAC policies from legacy access control systems can significantly reduce the costs associated with migrating to ABAC. However, a major challenge in this process is handling incomplete entity information, where some attribute values are missing. This paper introduces an approach that enhances the policy mining process by predicting or inferring missing attribute values. This is accomplished by employing a contextual clustering technique that groups entities according to their known attributes, which are then used to analyze and refine authorization decisions. By effectively managing incomplete data, our approach provides security administrators with a valuable tool to improve their attribute data and ensure a smoother, more efficient transition to ABAC.