SYSTEM AND METHOD FOR SYNTHESIZING ROLE-BASED ACCESS CONTROL ASSIGNMENTS PER A POLICY

A system and method are provided to facilitate securing windows discretionary access control. During operation, the system determines a Windows domain model including: user-specified desired effective permissions as capability assignments of principals on resources, wherein a respective capability assignment comprises a permission of a respective principal to a respective resource and wherein a respective principal comprises a user or a group of users; and user-specified policies and rules for relationships between principals, groups, and resources. The system creates a domain graph and an access control graph based on the Windows domain model. The domain graph maps paths between nodes representing users, groups, and resources based on the policies and rules. The access control graph allows for calculation of actual permissions of principals on resources based on the desired effective permissions. The system determines a set of optimal policy-conformant configurations based on the domain graph and the access control graph.