Leveraging RAG and LLMs for Access Control Policy Extraction From User Stories in Agile Software Development

Leveraging RAG and LLMs for Access Control Policy Extraction From User Stories in Agile Software Development

Agile development has become increasingly popular among software development teams due to its capacity to deliver and update software rapidly while accommodating evolving requirements. Within this dynamic context, access control policies are critical for ensuring the security of systems by defining...

Full description

Saved in:
Bibliographic Details
Main Authors: Sara Aboukadri, Aafaf Ouaddah, Abdellatif Mezrioui, Ikram El Asri
Format: Article
Language:English
Published: IEEE 2025-01-01
Series:IEEE Access
Subjects:
Access control
agile software development
software requirements
RAG
LLMs
Online Access:https://ieeexplore.ieee.org/document/11071540/
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Agile development has become increasingly popular among software development teams due to its capacity to deliver and update software rapidly while accommodating evolving requirements. Within this dynamic context, access control policies are critical for ensuring the security of systems by defining who can access specific resources under given conditions. However, identifying and documenting these policies often rely on manual, time-intensive processes prone to errors and oversight. This paper proposes an innovative framework leveraging Retrieval-Augmented Generation (RAG) and Large Language Models (LLMs) to automate the extraction and organization of access control policies from user stories and software documentation. The framework focuses on the early stages of the development lifecycle, capturing access control requirements as expressed in natural language artifacts. It comprises two core components: 1) a pipeline for extracting and categorizing access control policies, enabling precise mappings between roles, actions, and resources, and 2) an interactive chatbot designed to support Security Operations Center (SOC) analysts in evaluating suspicious access requests by providing contextualized insights into access policies. By integrating advanced natural language processing techniques with retrieval-based augmentation, the framework aims to reinforce access control mechanisms by improving visibility, and providing contextualized insights for security analysts.
ISSN:2169-3536

Similar Items