Attribute-based access control (ABAC) has attracted widespread interest and has become an ideal mechanism due to its flexibility characteristic and the powerful expressiveness for various security policies, such as the separation-of-duty constraint and cardinality constraint. The formulation of appropriate ABAC policies is critical for ensuring system security and robustness. However, conflicts occur frequently in existing state-of-the-art systems. Most conventional detection methods either lack the evaluation of the policy quality or consider no constraint. To resolve these problems, a novel method for the ABAC policy evaluation is proposed in this study. First, to meet diverse organizational requirements, we use the attribute-based constraints specification language to uniformly formulate and specify the conflict relations among attributes and present the satisfiability of conflict relations. Second, to comprehensively detect the conflict problems, we present the evaluation criteria for conflicts on attributes and rules and propose a novel algorithm for detecting conflicts. Last, we validate the effectiveness and efficiency of the proposal through experiments, which demonstrate that it not only improves the policy quality but also reduces the conflicting number and conflicting probability.

中文翻译：

---

使用约束规范语言和冲突检测的基于属性的策略评估

基于属性的访问控制（ABAC）由于其灵活的特性和对各种安全策略（如职责分离约束和基数约束）的强大表达能力而受到广泛关注并成为一种理想的机制。制定适当的 ABAC 策略对于确保系统安全性和稳健性至关重要。然而，在现有的最先进的系统中经常发生冲突。大多数传统的检测方法要么缺乏对策略质量的评估，要么不考虑约束。为了解决这些问题，本研究提出了一种新的 ABAC 政策评估方法。一、满足多样化的组织需求，我们使用基于属性的约束规范语言来统一制定和指定属性之间的冲突关系，并呈现冲突关系的可满足性。其次，为了全面检测冲突问题，我们提出了属性和规则冲突的评估标准，并提出了一种新的冲突检测算法。最后，我们通过实验验证了该提议的有效性和效率，表明它不仅提高了策略质量，而且减少了冲突数量和冲突概率。