Enhancing Relationship-Based Access Control Policies with Negative Rule Mining

Ferhat Demirkiran; Amir Masoumzadeh

doi:10.1145/3714393.3726510

Enhancing Relationship-Based Access Control Policies with Negative Rule Mining

Ferhat Demirkiran
, Amir Masoumzadeh

Computer Science

University at Albany

SUNY Albany

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Relationship-based access control (ReBAC) policies often rely solely on positive authorization rules, implicitly denying all other requests by default. However, many scenarios require explicitly stating negative authorization rules to capture exceptions or special restrictions that are not naturally enforced by deny-by-default semantics. This work presents a systematic method to mine ReBAC policies that integrate both positive and negative authorization rules from observed authorizations. We formalize the mining problem, show its NP-hardness, and develop an approach that identifies minimal policies while accurately reflecting observed access decisions. We demonstrate the feasibility and effectiveness of our proposed approach through a set of experiments. Our experimental evaluations on representative datasets demonstrate that including negative rules leads to more concise and semantically complete policies, confirming the necessity of explicit negative authorizations in complex access control settings.

Original language	English
Title of host publication	CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy
Publisher	Association for Computing Machinery, Inc
Pages	96-106
Number of pages	11
ISBN (Electronic)	9798400714764
DOIs	https://doi.org/10.1145/3714393.3726510
State	Published - Jun 4 2025
Event	15th ACM Conference on Data and Application Security and Privacy, CODASPY 2025 - Pittsburgh, United States Duration: Jun 4 2025 → Jun 6 2025

Publication series

Name	CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy

Conference

Conference	15th ACM Conference on Data and Application Security and Privacy, CODASPY 2025
Country/Territory	United States
City	Pittsburgh
Period	06/4/25 → 06/6/25

Keywords

deny rules
negative authorization
policy mining
policy optimization
relationship-based access control

Access to Document

10.1145/3714393.3726510

Cite this

Demirkiran, F., & Masoumzadeh, A. (2025). Enhancing Relationship-Based Access Control Policies with Negative Rule Mining. In CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy (pp. 96-106). (CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy). Association for Computing Machinery, Inc. https://doi.org/10.1145/3714393.3726510

Demirkiran, Ferhat ; Masoumzadeh, Amir. / Enhancing Relationship-Based Access Control Policies with Negative Rule Mining. CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc, 2025. pp. 96-106 (CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy).

@inproceedings{962395d00bf64b4eb2daa36eaa7aae3d,

title = "Enhancing Relationship-Based Access Control Policies with Negative Rule Mining",

abstract = "Relationship-based access control (ReBAC) policies often rely solely on positive authorization rules, implicitly denying all other requests by default. However, many scenarios require explicitly stating negative authorization rules to capture exceptions or special restrictions that are not naturally enforced by deny-by-default semantics. This work presents a systematic method to mine ReBAC policies that integrate both positive and negative authorization rules from observed authorizations. We formalize the mining problem, show its NP-hardness, and develop an approach that identifies minimal policies while accurately reflecting observed access decisions. We demonstrate the feasibility and effectiveness of our proposed approach through a set of experiments. Our experimental evaluations on representative datasets demonstrate that including negative rules leads to more concise and semantically complete policies, confirming the necessity of explicit negative authorizations in complex access control settings.",

keywords = "deny rules, negative authorization, policy mining, policy optimization, relationship-based access control",

author = "Ferhat Demirkiran and Amir Masoumzadeh",

note = "Publisher Copyright: {\textcopyright} 2025 Copyright held by the owner/author(s).; 15th ACM Conference on Data and Application Security and Privacy, CODASPY 2025 ; Conference date: 04-06-2025 Through 06-06-2025",

year = "2025",

month = jun,

day = "4",

doi = "10.1145/3714393.3726510",

language = "English",

series = "CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy",

publisher = "Association for Computing Machinery, Inc",

pages = "96--106",

booktitle = "CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy",

}

Demirkiran, F & Masoumzadeh, A 2025, Enhancing Relationship-Based Access Control Policies with Negative Rule Mining. in CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy. CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy, Association for Computing Machinery, Inc, pp. 96-106, 15th ACM Conference on Data and Application Security and Privacy, CODASPY 2025, Pittsburgh, United States, 06/4/25. https://doi.org/10.1145/3714393.3726510

Enhancing Relationship-Based Access Control Policies with Negative Rule Mining. / Demirkiran, Ferhat; Masoumzadeh, Amir.
CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc, 2025. p. 96-106 (CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Enhancing Relationship-Based Access Control Policies with Negative Rule Mining

AU - Demirkiran, Ferhat

AU - Masoumzadeh, Amir

PY - 2025/6/4

Y1 - 2025/6/4

N2 - Relationship-based access control (ReBAC) policies often rely solely on positive authorization rules, implicitly denying all other requests by default. However, many scenarios require explicitly stating negative authorization rules to capture exceptions or special restrictions that are not naturally enforced by deny-by-default semantics. This work presents a systematic method to mine ReBAC policies that integrate both positive and negative authorization rules from observed authorizations. We formalize the mining problem, show its NP-hardness, and develop an approach that identifies minimal policies while accurately reflecting observed access decisions. We demonstrate the feasibility and effectiveness of our proposed approach through a set of experiments. Our experimental evaluations on representative datasets demonstrate that including negative rules leads to more concise and semantically complete policies, confirming the necessity of explicit negative authorizations in complex access control settings.

AB - Relationship-based access control (ReBAC) policies often rely solely on positive authorization rules, implicitly denying all other requests by default. However, many scenarios require explicitly stating negative authorization rules to capture exceptions or special restrictions that are not naturally enforced by deny-by-default semantics. This work presents a systematic method to mine ReBAC policies that integrate both positive and negative authorization rules from observed authorizations. We formalize the mining problem, show its NP-hardness, and develop an approach that identifies minimal policies while accurately reflecting observed access decisions. We demonstrate the feasibility and effectiveness of our proposed approach through a set of experiments. Our experimental evaluations on representative datasets demonstrate that including negative rules leads to more concise and semantically complete policies, confirming the necessity of explicit negative authorizations in complex access control settings.

KW - deny rules

KW - negative authorization

KW - policy mining

KW - policy optimization

KW - relationship-based access control

UR - https://www.scopus.com/pages/publications/105011359814

U2 - 10.1145/3714393.3726510

DO - 10.1145/3714393.3726510

M3 - Conference contribution

T3 - CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy

SP - 96

EP - 106

BT - CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy

PB - Association for Computing Machinery, Inc

T2 - 15th ACM Conference on Data and Application Security and Privacy, CODASPY 2025

Y2 - 4 June 2025 through 6 June 2025

ER -

Demirkiran F, Masoumzadeh A. Enhancing Relationship-Based Access Control Policies with Negative Rule Mining. In CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc. 2025. p. 96-106. (CODASPY 2025 - Proceedings of the 15th ACM Conference on Data and Application Security and Privacy). doi: 10.1145/3714393.3726510

Enhancing Relationship-Based Access Control Policies with Negative Rule Mining

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this