[論文レビュー] Prose2Policy (P2P): A Practical LLM Pipeline for Translating Natural-Language Access Policies into Executable Rego
tldr: Prose2Policy is an end-to-end LLM-based toolchain that translates natural-language access control policies into executable Rego code, including extraction, schema validation, linting, compilation, and automated tests. It emphasizes deployment reliability and auditability.
Prose2Policy (P2P) is a LLM-based practical tool that translates natural-language access control policies (NLACPs) into executable Rego code (the policy language of Open Policy Agent, OPA). It provides a modular, end-to-end pipeline that performs policy detection, component extraction, schema validation, linting, compilation, automatic test generation and execution. Prose2Policy is designed to bridge the gap between human-readable access requirements and machine-enforceable policy-as-code (PaC) while emphasizing deployment reliability and auditability. We evaluated Prose2Policy on the ACRE dataset and demonstrated a 95.3\% compile rate for accepted policies, with automated testing achieving a 82.2\% positive-test pass rate and a 98.9\% negative-test pass rate. These results indicate that Prose2Policy produces syntactically robust and behaviorally consistent Rego policies suitable for Zero Trust and compliance-driven environments.
研究の動機と目的
- Objective 1: Bridge the gap between human-readable access requirements and machine-enforceable policy code (PaC).
- Objective 2: Provide an end-to-end, modular pipeline from NLACP to Rego with validation, linting, and testing.
- Objective 3: Enable auditability and deployment reliability through structured prompts and intermediate artifacts.
- Objective 4: Support researchers with a reproducible flow to study prompting strategies and guardrails.
提案手法
- Method 1: Structured prompting pipeline to identify intent, extract DSARCP components (Decision, Subject, Action, Resource, Condition, Purpose), and synthesize Rego.
- Method 2: Four-module architecture: pre-processing, component extraction, schema validation, and Rego generation/refinement/testing.
- Method 3: Rego as the target policy language with deny-by-default semantics and audit annotations.
- Method 4: Integration of a Rego linter (Regal) and OPA compilation/testing for validation and unit test generation.
- Method 5: Batch and single-policy interfaces with optional LLM or rule-based test generation modes.
実験結果
リサーチクエスチョン
- RQ1Question 1: Can NLACPs be reliably detected and decomposed into executable policy elements suitable for Rego?
- RQ2Question 2: How accurately can LLMs extract policy components (DSARCP) from NLACPs and convert them into Rego code?
- RQ3Question 3: Does the integrated linting, compilation, and unit testing pipeline yield syntactically correct and behaviorally correct policies?
- RQ4Question 4: What is the impact of RAGent-like baselines on the quality of generated policies compared to Prose2Policy’s approach?
- RQ5Question 5: How does Prose2Policy perform on standard datasets (e.g., ACRE) in terms of compile rate and test pass rates?
主な発見
- Finding 1: 95.3% のコンパイル率を達成: 371/389 の受理済み NLACPs が有効な Rego ポリシーを生成。
- Finding 2: LLM駆動のテスト生成で正のテスト合格率 82.2%(305/371)。
- Finding 3: LLM駆動のテストで負のテスト合格率 98.9%(367/371)。
- Finding 4: ルールベースのテスト生成は正のテスト合格率 62.1%、負のテスト合格率 97.1%。
- Finding 5: 自動生成中に構文の問題が原因で有効な Rego を生成できなかったポリシーが 18 件。
- Finding 6: 高い否定テスト成功率を伴う堅牢な deny-by-default ポリシーの適用を実証。
より良い研究を、今すぐ始めましょう
論文設計から論文執筆まで、研究時間を劇的に削減しましょう。
クレジットカード登録不要
このレビューはAIが作成し、人間の編集者が確認しました。