TY - GEN
T1 - Synthesizing Access Control Policies Using Large Language Models
AU - Vatsa, Adarsh
AU - Patel, Pratyush
AU - Eiers, William
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Cloud compute systems allow administrators to write access control policies that govern access to private data. While policies are written in convenient languages, such as AWS Identity and Access Management Policy Language, manually written policies often become complex and error prone. In this paper, we investigate whether and how well Large Language Models (LLMs) can be used to synthesize access control policies. Our investigation focuses on the task of taking an access control request specification and zero-shot prompting LLMs to synthesize a well-formed access control policy which correctly adheres to the request specification. We consider two scenarios, one which the request specification is given as a concrete list of requests to be allowed or denied, and another in which a natural language description is used to specify sets of requests to be allowed or denied. We then argue that for zero-shot prompting, more precise and structured prompts using a syntax based approach are necessary and experimentally show preliminary results validating our approach.
AB - Cloud compute systems allow administrators to write access control policies that govern access to private data. While policies are written in convenient languages, such as AWS Identity and Access Management Policy Language, manually written policies often become complex and error prone. In this paper, we investigate whether and how well Large Language Models (LLMs) can be used to synthesize access control policies. Our investigation focuses on the task of taking an access control request specification and zero-shot prompting LLMs to synthesize a well-formed access control policy which correctly adheres to the request specification. We consider two scenarios, one which the request specification is given as a concrete list of requests to be allowed or denied, and another in which a natural language description is used to specify sets of requests to be allowed or denied. We then argue that for zero-shot prompting, more precise and structured prompts using a syntax based approach are necessary and experimentally show preliminary results validating our approach.
KW - access control policy
KW - large language models
KW - policy synthesis
KW - verification
UR - https://www.scopus.com/pages/publications/105009458749
UR - https://www.scopus.com/pages/publications/105009458749#tab=citedBy
U2 - 10.1109/NLBSE66842.2025.00008
DO - 10.1109/NLBSE66842.2025.00008
M3 - Conference contribution
AN - SCOPUS:105009458749
T3 - Proceedings - 2025 IEEE/ACM International Workshop on Natural Language-Based Software Engineering, NLBSE 2025
SP - 13
EP - 16
BT - Proceedings - 2025 IEEE/ACM International Workshop on Natural Language-Based Software Engineering, NLBSE 2025
T2 - 2025 IEEE/ACM International Workshop on Natural Language-Based Software Engineering, NLBSE 2025
Y2 - 27 April 2025
ER -