{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,6]],"date-time":"2026-04-06T10:14:34Z","timestamp":1775470474707,"version":"3.50.1"},"reference-count":46,"publisher":"Association for Computing Machinery (ACM)","issue":"4","funder":[{"DOI":"10.13039\/100000002","name":"National Institutes of Health","doi-asserted-by":"crossref","award":["R35GM134927"],"award-info":[{"award-number":["R35GM134927"]}],"id":[{"id":"10.13039\/100000002","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Cisco Research"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Internet Technol."],"published-print":{"date-parts":[[2025,11,30]]},"abstract":"<jats:p>Attribute-Based Access Control (ABAC) is increasingly becoming popular due to its dynamic, flexible, portable, and scalable nature. Under ABAC, security policies (ABAC rules) are stated in terms of the attributes of the subject, the object and the environment. A subject is granted access to an object if their respective attribute values are satisfied against a set of ABAC rules. Typically hierarchical relationships exist among the subjects as well as the objects, where more specific subjects (objects) inherit the attributes from the general ones. As such, if a subject is allowed access to a general object, that subject is allowed to access all of its sub-types. This has been the general understanding and current ABAC enforcement and policy mining approaches follow this approach. However, in this article, we argue that the general understanding of the semantics of the ABAC is not always appropriate. Indeed, under certain semantics, the specific data may be more sensitive than that of its general counterpart. In that situation, if a subject is allowed access to a general type, it should not be allowed access to its sub-type, which is contrary to the current understanding and implementation. This article is the first attempt in the literature to distinguish these two different ABAC semantics arising from the different semantics of object attributes themselves. We present concrete examples of these two semantics and demonstrate what can go wrong\u2014both anecdotally as well as empirically\u2014if one ignores the underlying semantics and inappropriately uses the existing enforcement and mining algorithms. We then present how existing algorithms can be modified so that no misconfigurations arise and security is ensured.<\/jats:p>","DOI":"10.1145\/3736764","type":"journal-article","created":{"date-parts":[[2025,5,23]],"date-time":"2025-05-23T07:26:38Z","timestamp":1747985198000},"page":"1-20","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Semantically Correct Policy Mining and Enforcement for Attribute Based Access Control"],"prefix":"10.1145","volume":"25","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6954-6501","authenticated-orcid":false,"given":"Gunjan","family":"Batra","sequence":"first","affiliation":[{"name":"Information Systems and Security, Coles College of Business, Kennesaw State University","place":["Kennesaw, United States"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5700-7137","authenticated-orcid":false,"given":"Samir","family":"Talegaon","sequence":"additional","affiliation":[{"name":"Villanova University","place":["Villanova, United States"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2068-780X","authenticated-orcid":false,"given":"Vijayalakshmi","family":"Atluri","sequence":"additional","affiliation":[{"name":"MSIS, Rutgers Business School, Rutgers University","place":["Newark, United States"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7420-6947","authenticated-orcid":false,"given":"Jaideep","family":"Vaidya","sequence":"additional","affiliation":[{"name":"MSIS, , Rutgers Business School, Rutgers University","place":["Newark, United States"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4315-7329","authenticated-orcid":false,"given":"Shamik","family":"Sural","sequence":"additional","affiliation":[{"name":"Indian Institute of Technology Kharagpur","place":["Kharagpur, India"]}]}],"member":"320","published-online":{"date-parts":[[2025,9,13]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"crossref","first-page":"523","DOI":"10.1007\/978-3-030-58951-6_26","volume-title":"Proceedings of the Computer Security\u2013ESORICS 2020: 25th European Symposium on Research in Computer Security, ESORICS 2020, Guildford, UK, September 14\u201318, 2020, Proceedings, Part I 25","author":"Jabal Amani Abu","year":"2020","unstructured":"Amani Abu Jabal, Elisa Bertino, Jorge Lobo, Mark Law, Alessandra Russo, Seraphin Calo, and Dinesh Verma. 2020. Polisma-a framework for learning attribute-based access control policies. In Proceedings of the Computer Security\u2013ESORICS 2020: 25th European Symposium on Research in Computer Security, ESORICS 2020, Guildford, UK, September 14\u201318, 2020, Proceedings, Part I 25. Springer, 523\u2013544."},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/3577923.3585050"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-018-0019-2"},{"key":"e_1_3_2_5_2","volume-title":"Policy configuration and management in attribute based access control","author":"Batra Gunjan","year":"2021","unstructured":"Gunjan Batra. 2021. Policy configuration and management in attribute based access control. Ph. D. Dissertation. Rutgers The State University of New Jersey, Graduate School-Newark."},{"key":"e_1_3_2_6_2","first-page":"1","volume-title":"Encyclopedia of Cryptography, Security and Privacy","author":"Batra Gunjan","year":"2024","unstructured":"Gunjan Batra. 2024. Attribute-based access control. In Encyclopedia of Cryptography, Security and Privacy. Springer, 1\u20133."},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1145\/3422337.3447825"},{"key":"e_1_3_2_8_2","doi-asserted-by":"crossref","unstructured":"David E. Bell Leonard J. La Padula et\u00a0al. 1976. Secure computer system: Unified exposition and multics interpretation. (1976).","DOI":"10.21236\/ADA023588"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/3041048.3041053"},{"key":"e_1_3_2_10_2","first-page":"4000","volume-title":"Proceedings of the 2019 IEEE International Conference on Big Data (Big Data\u201919)","author":"Cappelletti Luca","year":"2019","unstructured":"Luca Cappelletti, Stefano Valtolina, Giorgio Valentini, Marco Mesiti, and Elisa Bertino. 2019. On the quality of classification models for inferring ABAC policies from access logs. In Proceedings of the 2019 IEEE International Conference on Big Data (Big Data\u201919). IEEE, 4000\u20134007."},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/IRI.2019.00047"},{"key":"e_1_3_2_12_2","doi-asserted-by":"crossref","first-page":"31","DOI":"10.1109\/EuroSP.2018.00011","volume-title":"Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P\u201918)","author":"Cotrini Carlos","year":"2018","unstructured":"Carlos Cotrini, Thilo Weghorn, and David Basin. 2018. Mining ABAC rules from sparse logs. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P\u201918). IEEE, 31\u201346."},{"key":"e_1_3_2_13_2","first-page":"327","volume-title":"Proceedings of the Future Data and Security Engineering. Big Data, Security and Privacy, Smart City and Industry 4.0 Applications: 8th International Conference, FDSE 2021, Virtual Event, November 24\u201326, 2021, Proceedings 8","author":"Dang Tran Khanh","year":"2021","unstructured":"Tran Khanh Dang, Xuan Tinh Chu, and The Huy Tran. 2021. Privacy-preserving attribute-based access control in education information systems. In Proceedings of the Future Data and Security Engineering. Big Data, Security and Privacy, Smart City and Industry 4.0 Applications: 8th International Conference, FDSE 2021, Virtual Event, November 24\u201326, 2021, Proceedings 8. Springer, 327\u2013345."},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-04834-1_2"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/3323233"},{"key":"e_1_3_2_16_2","doi-asserted-by":"crossref","first-page":"186","DOI":"10.1007\/978-3-031-23690-7_11","volume-title":"Proceedings of the Information Systems Security","author":"Davari Maryam","year":"2022","unstructured":"Maryam Davari and Mohammad Zulkernine. 2022. Mining attribute-based access control policies. In Proceedings of the Information Systems Security, Venkata Ramana Badarla, Surya Nepal, and Rudrapatna K. Shyamasundar (Eds.). Springer Nature Switzerland, Cham, 186\u2013201."},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/501978.501980"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/3078861.3084163"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-021-00565-4"},{"key":"e_1_3_2_20_2","first-page":"417","volume-title":"Proceedings of the May 16\u201318, 1972, Spring Joint Computer Conference","author":"Graham G. Scott","year":"1971","unstructured":"G. Scott Graham and Peter J. Denning. 1971. Protection: Principles and practice. In Proceedings of the May 16\u201318, 1972, Spring Joint Computer Conference. 417\u2013429."},{"key":"e_1_3_2_21_2","first-page":"61","volume-title":"Proceedings of the 9th ACM Conference on Data and Application Security and Privacy","author":"Gupta Maanak","year":"2019","unstructured":"Maanak Gupta, James Benson, Farhan Patwa, and Ravi Sandhu. 2019. Dynamic groups and attribute-based access control for next-generation smart cars. In Proceedings of the 9th ACM Conference on Data and Application Security and Privacy. 61\u201372."},{"key":"e_1_3_2_22_2","doi-asserted-by":"crossref","first-page":"318","DOI":"10.1007\/978-3-319-46298-1_21","volume-title":"Proceedings of the International Conference on Network and System Security","author":"Gupta Maanak","year":"2016","unstructured":"Maanak Gupta and Ravi Sandhu. 2016. The GURA G administrative model for user and group attribute assignment. In Proceedings of the International Conference on Network and System Security. Springer, 318\u2013332."},{"key":"e_1_3_2_23_2","volume-title":"Attribute based Access Control (ABAC) Definition and Considerations","author":"Hu Vincent","year":"2014","unstructured":"Vincent Hu. 2014. Attribute based Access Control (ABAC) Definition and Considerations. Technical Report. National Institute of Standards and Technology."},{"key":"e_1_3_2_24_2","unstructured":"D. Ferraiolo R. Kuhn A. Schnitzer A. Sandlin K. Miller and K. Scarfone. 2014. Guide to attribute based access control (ABAC) definition and considerations. National Institute of Standards and Technology. 1\u201347. https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-162.pdf"},{"key":"e_1_3_2_25_2","first-page":"161","volume-title":"Proceedings of the 23rd ACM on Symposium on Access Control Models and Technologies","author":"Iyer Padmavathi","year":"2018","unstructured":"Padmavathi Iyer and Amirreza Masoumzadeh. 2018. Mining positive and negative attribute-based access control policy rules. In Proceedings of the 23rd ACM on Symposium on Access Control Models and Technologies. 161\u2013172."},{"issue":"4","key":"e_1_3_2_26_2","doi-asserted-by":"crossref","first-page":"2304","DOI":"10.1109\/TDSC.2021.3054331","article-title":"An automatic attribute-based access control policy extraction from access logs","volume":"19","author":"Karimi Leila","year":"2021","unstructured":"Leila Karimi, Maryam Aldairi, James Joshi, and Mai Abdelhakim. 2021. An automatic attribute-based access control policy extraction from access logs. IEEE Transactions on Dependable and Secure Computing 19, 4 (2021), 2304\u20132317.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_2_27_2","first-page":"1427","volume-title":"Proceedings of the 2018 IEEE International Conference on Big Data (Big Data\u201918)","author":"Karimi Leila","year":"2018","unstructured":"Leila Karimi and James Joshi. 2018. An unsupervised learning based approach for mining attribute based access control policies. In Proceedings of the 2018 IEEE International Conference on Big Data (Big Data\u201918). IEEE, 1427\u20131436."},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.12783\/DTCSE\/AICS2016\/8254"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-15934-8_24"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/1377836.1377840"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1145\/3078861.3078874"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1504\/IJGUC.2014.065372"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359805"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1371\/journal.pone.0245122"},{"key":"e_1_3_2_35_2","doi-asserted-by":"crossref","first-page":"187","DOI":"10.1007\/978-3-319-17040-4_12","volume-title":"Proceedings of the Foundations and Practice of Security: 7th International Symposium, FPS 2014, Montreal, QC, Canada, November 3\u20135, 2014. Revised Selected Papers 7","author":"Servos Daniel","year":"2015","unstructured":"Daniel Servos and Sylvia L. Osborn. 2015. HGABAC: Towards a formal model of hierarchical attribute-based access control. In Proceedings of the Foundations and Practice of Security: 7th International Symposium, FPS 2014, Montreal, QC, Canada, November 3\u20135, 2014. Revised Selected Papers 7. Springer, 187\u2013204."},{"key":"e_1_3_2_36_2","first-page":"1","volume-title":"Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control","author":"Servos Daniel","year":"2018","unstructured":"Daniel Servos and Sylvia L. Osborn. 2018. HGAA: An architecture to support hierarchical group and attribute-based access control. In Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control. 1\u201312."},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.103717"},{"key":"e_1_3_2_38_2","doi-asserted-by":"crossref","first-page":"35","DOI":"10.1109\/PST.2016.7906934","volume-title":"Proceedings of the 2016 14th Annual Conference on Privacy, Security and Trust (PST\u201916)","author":"Singh Mahendra Pratap","year":"2016","unstructured":"Mahendra Pratap Singh. 2016. AHCSABAC: Attribute value hierarchies and constraints specification in attribute-based access control. In Proceedings of the 2016 14th Annual Conference on Privacy, Security and Trust (PST\u201916). IEEE, 35\u201341."},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1145\/3532105.3535021"},{"key":"e_1_3_2_40_2","first-page":"339","volume-title":"Proceedings of the IEEE International Conference on Collaboration and Internet Computing","author":"Talukdar Tanay","year":"2017","unstructured":"Tanay Talukdar, Gunjan Batra, Jaideep Vaidya, Vijayalakshmi Atluri, and Shamik Sural. 2017. Efficient bottom-up mining of attribute based access control policies. In Proceedings of the IEEE International Conference on Collaboration and Internet Computing. 339\u2013348."},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1145\/1951365.1951394"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/1266840.1266877"},{"issue":"11","key":"e_1_3_2_43_2","first-page":"2149","article-title":"Log-based rich-semantic ABAC policy mining","volume":"54","author":"Wu Wen-chao","year":"2020","unstructured":"Wen-chao Wu, Zhi-yu Ren, and Xue-hui Du. 2020. Log-based rich-semantic ABAC policy mining. Journal of ZheJiang University (Engineering Science) 54, 11 (2020), 2149\u20132157.","journal-title":"Journal of ZheJiang University (Engineering Science)"},{"issue":"5","key":"e_1_3_2_44_2","doi-asserted-by":"crossref","first-page":"e5556","DOI":"10.1002\/cpe.5556","article-title":"An efficient privacy-enhanced attribute-based access control mechanism","volume":"32","author":"Xu Yang","year":"2020","unstructured":"Yang Xu, Quanrun Zeng, Guojun Wang, Cheng Zhang, Ju Ren, and Yaoxue Zhang. 2020. An efficient privacy-enhanced attribute-based access control mechanism. Concurrency and Computation: Practice and Experience 32, 5 (2020), e5556.","journal-title":"Concurrency and Computation: Practice and Experience"},{"key":"e_1_3_2_45_2","first-page":"276","volume-title":"Proceedings of the Data and Applications Security and Privacy XXVIII: 28th Annual IFIP WG 11.3 Working Conference, DBSec 2014, Vienna, Austria, July 14\u201316, 2014. Proceedings 28","author":"Xu Zhongyuan","year":"2014","unstructured":"Zhongyuan Xu and Scott D. Stoller. 2014. Mining attribute-based access control policies from logs. In Proceedings of the Data and Applications Security and Privacy XXVIII: 28th Annual IFIP WG 11.3 Working Conference, DBSec 2014, Vienna, Austria, July 14\u201316, 2014. Proceedings 28. Springer, 276\u2013291."},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/tdsc.2014.2369048"},{"key":"e_1_3_2_47_2","first-page":"294","volume-title":"Proceedings of the Service-Oriented Computing-ICSOC 2012 Workshops: ICSOC 2012, International Workshops ASC, DISA, PAASC, SCEB, SeMaPS, WESOA, and Satellite Events, Shanghai, China, November 12\u201315, 2012, Revised Selected Papers 10","author":"Zhang Guoping","year":"2013","unstructured":"Guoping Zhang, Jing Liu, and Jianbo Liu. 2013. Protecting sensitive attributes in attribute based access control. In Proceedings of the Service-Oriented Computing-ICSOC 2012 Workshops: ICSOC 2012, International Workshops ASC, DISA, PAASC, SCEB, SeMaPS, WESOA, and Satellite Events, Shanghai, China, November 12\u201315, 2012, Revised Selected Papers 10. Springer, 294\u2013305."}],"container-title":["ACM Transactions on Internet Technology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3736764","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,13]],"date-time":"2025-09-13T11:20:21Z","timestamp":1757762421000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3736764"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,9,13]]},"references-count":46,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2025,11,30]]}},"alternative-id":["10.1145\/3736764"],"URL":"https:\/\/doi.org\/10.1145\/3736764","relation":{},"ISSN":["1533-5399","1557-6051"],"issn-type":[{"value":"1533-5399","type":"print"},{"value":"1557-6051","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,9,13]]},"assertion":[{"value":"2024-11-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-12-03","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-09-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}