Extracting attribute-based access control rules from business process event logs

—Protecting sensitive information from unauthorized access is recognized as a crucial issue for today’s organizations. Identity and Access Management is one of the best practices techniques that ensure that the right people have access to the right systems at the right time. In particular, Attribute-Based Access Control (ABAC) models have recently gained popularity because of their capability to provide fine-grained and contextual access control that is not based on the user but on the attributes of every component in the system. Despite the benefits of adopting ABAC, it is commonly agreed that deploying an ABAC system is a complicated, time-consuming and challenging task. This is because all attributes of the system must be defined, and acess rules must not only be created, but also regularly monitored and reviewed. In this paper, we propose an automated approach to extract ABAC rules from event logs which record the actual execution of business processes. Event logs capture which tasks are performed by whom and at what point in time, and what data are taken as input and output. Therefore, they provide rich information on task and data access policies. Concretely, we propose to use (i) process mining techniques in order to analyze the event log and extract useful attributes and (ii) data mining techniques in order to learn the ABAC rules. To validate our approach, we (i) developed a Java application, and (ii) performed experiments on a real-life event log. Experimental results show that our approach is efficient and feasible.