Skip to main content

Technical Reports: CMU-CyLab-08-004

Title:Detecting and Resolving Policy Misconfigurations in Access-Control Systems
Authors:Lujo Bauer, Scott Garriss, Michael K. Reiter 
Publication Date:February 4, 2008


Access-control policy misconfigurations that cause requests to be erroneously denied can result in wasted time, user frustration and, in the context of particular applications (e.g., health care), very severe consequences. In this paper we apply association rule mining to logs of granted requests to predict changes to access-control policies that are likely to be consistent with users’ intentions, so that these changes can be instituted in advance of misconfigurations interfering with legitimate accesses. Instituting these changes requires consent of the appropriate user, of course, and so a primary contribution of our work is to automatically determine from whom to seek consent and to minimize the costs of doing so. We show using data from a deployed access-control system that our methods can reduce the number of accesses that would have incurred a costly time-of-access delay by 44%, and can correctly predict 58% of the intended policy. These gains are achieved without increasing the total amount of time users spend interacting with the system.

Full Report: CMU-CyLab-08-004