Enhancing role management in Role-Based Access Control

Role-Based Access Control (RBAC) has been widely applied to authorize certain users to access certain data or resources within complex systems. Several issues arose during the applications of RBAC models, which include the constraints applied in user-role assignments and role-role relations, revoking redundant roles and assignments, etc. These problems bring high costs in RBAC management. This paper addresses these problems from the perspective of visualization in order to enhance role management in RBAC, particularly leveraging the experience of DAG visualization and the administrative cost. A detailed problem statement is made first, and then a DAG normalization process is proposed to construct a refined role hierarchy. Subsequently, a two-layered paradigm, the lower for displaying role hierarchy and permissions, and the upper for placing users, is presented for the visualization of role management in RBAC. Additionally, some specific interaction techniques are put forward to visually aid in solving the constraint and redundancy problems. A two-stage user observation conducted in laboratory environment suggests the effectiveness and usability of the prototype system for the security administrator in role management of RBAC.

[1]  Kotagiri Ramamohanarao,et al.  Role engineering using graph optimisation , 2007, SACMAT '07.

[2]  Jason Crampton,et al.  On permissions, inheritance and role hierarchies , 2003, CCS '03.

[3]  Mauricio G. C. Resende,et al.  Greedy Randomized Adaptive Search Procedures , 1995, J. Glob. Optim..

[4]  Ben Shneiderman,et al.  Readings in information visualization - using vision to think , 1999 .

[5]  Vijayalakshmi Atluri,et al.  Optimal Boolean Matrix Decomposition: Application to Role Engineering , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[6]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[7]  Ivan Herman,et al.  Graph Visualization and Navigation in Information Visualization: A Survey , 2000, IEEE Trans. Vis. Comput. Graph..

[8]  Michael Jünger,et al.  Simple and Efficient Bilayer Cross Counting , 2002, J. Graph Algorithms Appl..

[9]  Peter Eades,et al.  Edge crossings in drawings of bipartite graphs , 1994, Algorithmica.

[10]  Martin Graham,et al.  Exploring Multiple Trees through DAG Representations , 2007, IEEE Transactions on Visualization and Computer Graphics.

[11]  Ravi S. Sandhu,et al.  The ARBAC99 model for administration of roles , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[12]  Rafael Martí,et al.  Heuristics and Meta-heuristics for 2-layer Straight Line Crossing Minimization , 2003, Discret. Appl. Math..

[13]  Edward M. Reingold,et al.  Graph drawing by force‐directed placement , 1991, Softw. Pract. Exp..

[14]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[15]  Elisa Bertino,et al.  Secure interoperation in a multidomain environment employing RBAC policies , 2005, IEEE Transactions on Knowledge and Data Engineering.

[16]  Lujo Bauer,et al.  Expandable grids for visualizing and authoring computer security policies , 2008, CHI.