LMN: A Tool for Generating Machine Enforceable Policies from Natural Language Access Control Rules using LLMs

Access control is a fundamental security requirement in any organization for ensuring that only authorized users can access certain information or resources under specific conditions. While enforcement needs to be done in computer systems, access control policies are typically decided by the higher management. For example, in a university system, the Department Chair, Dean and the Provost may take a decision on who can access which object (like Conference room printers, Graduate studies applications, Faculty tenure support letters, etc.) at the Department, School and University level, respectively. Such decisions are often noted down as meeting minutes, email exchanges, or other forms of documentation in a natural language like English (hereinafter referred to as Natural Language Access Control Policies, i.e., NLACPs). For information system level implementation of such decisions, System Security Officers (SSOs) must translate the NLACPs into Machine Enforceable Security Policies (MESPs) using a target access control model like Role-based Access Control (RBAC) or Attribute-based Access Control (ABAC). It is apparent that manual conversion of NLACPs into MESPs not only demands time and resource, it is also error prone, especially for large organizations with dynamically changing policies.