“…First, a policy language without negation is sometimes preferred to reduce the chance of writing rules that grant excess permissions when new entities are added; for example, the condition subject.department ∈ {CS, EE} is safe even if new departments may be created, but the condition subject.department = CS may lead to undesired granting of permissions to members of new departments. Second, this allows direct experimental comparison of our algorithm with FS-SEA*, the state-of-the-art ReBAC policy mining algorithm in [BSL19a], the most recent and best of Bui et al's ReBAC policy mining algorithms. FS-SEA* is a complicated multi-phase algorithm that combines heuristics, neural networks, and a grammar-based genetic algorithm.…”