Establishing Intent Groups for the Intent- Based Access Control Framework Pattabhi Mary Jyosthna 1 and Konala Thammi Reddy 2 1 Department of Computer Science and Engineering, GITAM School of Technology, GITAM (Deemed to be University), Visakhapatnam, India 2 Department of Computer Science and Engineering, GITAM School of Technology, GITAM (Deemed to be University), Visakhapatnam, India Abstract Access control models help the organizations in restricting access to Information Systems in order to minimize internal and external threats. When organizations are required to form cross functional teams and allow them to access the sensitive information, the traditional access control model like Role Based Access Control (RBAC) are inadequate to mitigate internal threats. In this paper, a unique access control approach called Intent Based Access Control (IBAC) is introduced to secure data sharing with cross functional teams. In IBAC, a group of interdisciplinary individuals is formed to achieve the organization's intent. It uses the Weighted Sum Model (WSM) which is one of the Multi Criterion Decision Making (MCDM) approach to choose the best individuals for the Intent Group based on their capabilities, finds their priority level using Bayesian inference model, and it also evaluates their work deviation score using N-Median Outlier Detection (NMOD) method for selecting them to the Intent Group. An employee whose capability score is sufficient as per the intent requirement, the deviation score is less than the role threshold value, priority level is High or Medium, and does not belong to active intents are selected for the Intent Group. The access permissions are assigned to the Intent Group to access the required resources instead of assigning them to the individual user as in RBAC. Keywords Internal threats, Access control model, Role Based Access Control, Organization’s intent, Weighted Sum Model 1. Introduction Organization’s Information Systems are highly prone to internal attacks as they are required to be shared with the employees of the same branch or different branch of the organization [1]. Organizations can use access control models to secure their information systems, resources, and assets against cyber-attacks, data breaches, and security legislation violations. Access control rules are personalized to the company in order to meet the needs of the business. Resources in the academic system, for example, differ from those in the health sector, from those in the financial sector, from those in industrial enterprises, and so on. However, the method of allocating access credentials is the same. If we consider the well-known Role Based Access Control (RBAC) model [2] for the aforementioned organizations, users are associated with roles and access rights are associated with the roles in the organizations and those access rights defined for that specific organization based on the security levels of the resources and user roles. H. Wang, Y. Zhang, and J. Cao in [3] used the RBAC model to build a secure framework for information sharing in virtual university environment. E. O. Boadu and G. K. Armah in [4] applied the RBAC model to the Hospital Management System for reducing the administration burden and to control the accessing of patient records and other hospital resources based on the defined roles and their permissions. Researchers in [5] considered domain knowledge and purpose of requesting user for accessing the patient record as constraints in current RBAC model to privacy of patient records. B. Tay and A. Mourad in [6] added ML techniques to assess the RBAC access policies enforces in the system, assess the authorization levels based on the user performance and work history to update the policies dynamically. All types of organizations are using the existing RBAC model with some added functionalities depending on their organization’s requirements. The other general requirement of organizations is multi-disciplinary teams. In general, the employees in an organization must work for the expansion of the organization's reputation in addition to their usual job functions. Each task will be regarded as an organization's objective or intent. A group of interdisciplinary individuals need to be formed to achieve that organization's goal/intent. For example, if we consider a manufacturing company, in addition to job functionalities such as production, marketing, finance, operations, and so on, employees should work in interdepartmental groups to achieve organizational goals such as new innovations for Research and Development (R&D), organizational rankings, accreditations, and so on. For these kinds of cross-functional teams, trust is a crucial challenge [7] for sharing the Information Systems. e-ISSN : 0976-5166 p-ISSN : 2231-3850 Pattabhi Mary Jyosthna et al. / Indian Journal of Computer Science and Engineering (IJCSE) DOI : 10.21817/indjcse/2022/v13i6/221306040 Vol. 13 No. 6 Nov-Dec 2022 1836