Leveraging RAG and LLMs for Access Control Policy Extraction From User Stories in Agile Software Development
Agile development has become increasingly popular among software development teams due to its capacity to deliver and update software rapidly while accommodating evolving requirements. Within this dynamic context, access control policies are critical for ensuring the security of systems by defining...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11071540/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849319805012672512 |
|---|---|
| author | Sara Aboukadri Aafaf Ouaddah Abdellatif Mezrioui Ikram El Asri |
| author_facet | Sara Aboukadri Aafaf Ouaddah Abdellatif Mezrioui Ikram El Asri |
| author_sort | Sara Aboukadri |
| collection | DOAJ |
| description | Agile development has become increasingly popular among software development teams due to its capacity to deliver and update software rapidly while accommodating evolving requirements. Within this dynamic context, access control policies are critical for ensuring the security of systems by defining who can access specific resources under given conditions. However, identifying and documenting these policies often rely on manual, time-intensive processes prone to errors and oversight. This paper proposes an innovative framework leveraging Retrieval-Augmented Generation (RAG) and Large Language Models (LLMs) to automate the extraction and organization of access control policies from user stories and software documentation. The framework focuses on the early stages of the development lifecycle, capturing access control requirements as expressed in natural language artifacts. It comprises two core components: 1) a pipeline for extracting and categorizing access control policies, enabling precise mappings between roles, actions, and resources, and 2) an interactive chatbot designed to support Security Operations Center (SOC) analysts in evaluating suspicious access requests by providing contextualized insights into access policies. By integrating advanced natural language processing techniques with retrieval-based augmentation, the framework aims to reinforce access control mechanisms by improving visibility, and providing contextualized insights for security analysts. |
| format | Article |
| id | doaj-art-cda86631d57a4d3683cfed1e5b1dcbf7 |
| institution | Kabale University |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-cda86631d57a4d3683cfed1e5b1dcbf72025-08-20T03:50:20ZengIEEEIEEE Access2169-35362025-01-011311646211647210.1109/ACCESS.2025.358620311071540Leveraging RAG and LLMs for Access Control Policy Extraction From User Stories in Agile Software DevelopmentSara Aboukadri0https://orcid.org/0000-0003-4589-4178Aafaf Ouaddah1Abdellatif Mezrioui2https://orcid.org/0000-0003-4731-355XIkram El Asri3https://orcid.org/0000-0001-5272-8587STRS Laboratory/CEDOC 2TI, National Institute of Posts and Telecommunications, Rabat, MoroccoSTRS Laboratory/CEDOC 2TI, National Institute of Posts and Telecommunications, Rabat, MoroccoSTRS Laboratory/CEDOC 2TI, National Institute of Posts and Telecommunications, Rabat, MoroccoSTRS Laboratory/CEDOC 2TI, National Institute of Posts and Telecommunications, Rabat, MoroccoAgile development has become increasingly popular among software development teams due to its capacity to deliver and update software rapidly while accommodating evolving requirements. Within this dynamic context, access control policies are critical for ensuring the security of systems by defining who can access specific resources under given conditions. However, identifying and documenting these policies often rely on manual, time-intensive processes prone to errors and oversight. This paper proposes an innovative framework leveraging Retrieval-Augmented Generation (RAG) and Large Language Models (LLMs) to automate the extraction and organization of access control policies from user stories and software documentation. The framework focuses on the early stages of the development lifecycle, capturing access control requirements as expressed in natural language artifacts. It comprises two core components: 1) a pipeline for extracting and categorizing access control policies, enabling precise mappings between roles, actions, and resources, and 2) an interactive chatbot designed to support Security Operations Center (SOC) analysts in evaluating suspicious access requests by providing contextualized insights into access policies. By integrating advanced natural language processing techniques with retrieval-based augmentation, the framework aims to reinforce access control mechanisms by improving visibility, and providing contextualized insights for security analysts.https://ieeexplore.ieee.org/document/11071540/Access controlagile software developmentsoftware requirementsRAGLLMs |
| spellingShingle | Sara Aboukadri Aafaf Ouaddah Abdellatif Mezrioui Ikram El Asri Leveraging RAG and LLMs for Access Control Policy Extraction From User Stories in Agile Software Development IEEE Access Access control agile software development software requirements RAG LLMs |
| title | Leveraging RAG and LLMs for Access Control Policy Extraction From User Stories in Agile Software Development |
| title_full | Leveraging RAG and LLMs for Access Control Policy Extraction From User Stories in Agile Software Development |
| title_fullStr | Leveraging RAG and LLMs for Access Control Policy Extraction From User Stories in Agile Software Development |
| title_full_unstemmed | Leveraging RAG and LLMs for Access Control Policy Extraction From User Stories in Agile Software Development |
| title_short | Leveraging RAG and LLMs for Access Control Policy Extraction From User Stories in Agile Software Development |
| title_sort | leveraging rag and llms for access control policy extraction from user stories in agile software development |
| topic | Access control agile software development software requirements RAG LLMs |
| url | https://ieeexplore.ieee.org/document/11071540/ |
| work_keys_str_mv | AT saraaboukadri leveragingragandllmsforaccesscontrolpolicyextractionfromuserstoriesinagilesoftwaredevelopment AT aafafouaddah leveragingragandllmsforaccesscontrolpolicyextractionfromuserstoriesinagilesoftwaredevelopment AT abdellatifmezrioui leveragingragandllmsforaccesscontrolpolicyextractionfromuserstoriesinagilesoftwaredevelopment AT ikramelasri leveragingragandllmsforaccesscontrolpolicyextractionfromuserstoriesinagilesoftwaredevelopment |