Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Synthesizing Access Control Policies using Large Language Models

Adarsh Vatsa, Pratyush Patel, William Eiers

TL;DR

This work tackles the problem of synthesizing cloud access control policies from specification inputs using large language models in a zero-shot setting. It analyzes three prompt styles—concrete requests, coarse natural-language descriptions, and fine-grained syntax—to generate AWS IAM-like policies and verifies their correctness via SMT-based reasoning and permissiveness comparisons. Results show that concrete prompts yield strong but not universal accuracy (e.g., ~83.82% on 100 cases), while coarse prompts often lead to incomparable outputs due to description imprecision; fine-grained syntax prompts improve precision in the majority of cases, highlighting the value of structured specifications. The study suggests that combining structured policy syntax with LLMs could enable reliable policy generation and points to future work on transfer learning, larger datasets, and hybrid human-readable formal specifications for robust guarantees.

Abstract

Cloud compute systems allow administrators to write access control policies that govern access to private data. While policies are written in convenient languages, such as AWS Identity and Access Management Policy Language, manually written policies often become complex and error prone. In this paper, we investigate whether and how well Large Language Models (LLMs) can be used to synthesize access control policies. Our investigation focuses on the task of taking an access control request specification and zero-shot prompting LLMs to synthesize a well-formed access control policy which correctly adheres to the request specification. We consider two scenarios, one which the request specification is given as a concrete list of requests to be allowed or denied, and another in which a natural language description is used to specify sets of requests to be allowed or denied. We then argue that for zero-shot prompting, more precise and structured prompts using a syntax based approach are necessary and experimentally show preliminary results validating our approach.

Synthesizing Access Control Policies using Large Language Models

TL;DR

This work tackles the problem of synthesizing cloud access control policies from specification inputs using large language models in a zero-shot setting. It analyzes three prompt styles—concrete requests, coarse natural-language descriptions, and fine-grained syntax—to generate AWS IAM-like policies and verifies their correctness via SMT-based reasoning and permissiveness comparisons. Results show that concrete prompts yield strong but not universal accuracy (e.g., ~83.82% on 100 cases), while coarse prompts often lead to incomparable outputs due to description imprecision; fine-grained syntax prompts improve precision in the majority of cases, highlighting the value of structured specifications. The study suggests that combining structured policy syntax with LLMs could enable reliable policy generation and points to future work on transfer learning, larger datasets, and hybrid human-readable formal specifications for robust guarantees.

Abstract

Cloud compute systems allow administrators to write access control policies that govern access to private data. While policies are written in convenient languages, such as AWS Identity and Access Management Policy Language, manually written policies often become complex and error prone. In this paper, we investigate whether and how well Large Language Models (LLMs) can be used to synthesize access control policies. Our investigation focuses on the task of taking an access control request specification and zero-shot prompting LLMs to synthesize a well-formed access control policy which correctly adheres to the request specification. We consider two scenarios, one which the request specification is given as a concrete list of requests to be allowed or denied, and another in which a natural language description is used to specify sets of requests to be allowed or denied. We then argue that for zero-shot prompting, more precise and structured prompts using a syntax based approach are necessary and experimentally show preliminary results validating our approach.

Paper Structure

This paper contains 17 sections, 4 figures.

Table of Contents

  1. Introduction
  2. Related Work
  3. Analyzing Access Control Policies
  4. Methodology
  5. Policy Dataset
  6. Request Specifications
  7. Concrete-Request
  8. Coarse-Grained
  9. Fine-Grained-with-Syntax
  10. Evaluating Synthesized Policies
  11. Verifying Concrete-Request Synthesized Policies
  12. Verifying Coarse-Grained and Fine-Grained-with-Syntax Synthesized Policies
  13. Results
  14. RQ1: Synthesizing Policies from Concrete-Request Specifications
  15. RQ2: Synthesizing Policies from Coarse-Grain Request Specifications
  16. ...and 2 more sections

Figures (4)

  • Figure 1: Example of a concrete-request prompt (topmost, (a)), a natural-language prompt (middle, (b)), and a fine-grained with syntax prompt (bottom, (c)), for the same policy. Only snippets of the prompts are shown.
  • Figure 2: Number of incorrectly classified requests compared to the number of total requests for each synthesized policy for concrete-request prompts.
  • Figure 3: Distribution of how the synthesized policy compare to the ground truth policy for coarse-grain request prompts.
  • Figure 4: Distribution of how the synthesized policies compare to the ground truth policies for each of the fine-grain-with-syntax prompts.