Meeting Cardinality Constraints in Role Mining

Role mining is a critical step for organizations that migrate from traditional access control mechanisms to role based access control (RBAC). Additional constraints may be imposed while generating roles from a given user-permission assignment relation. In this paper we consider two such constraints which are the dual of each other. A role-usage cardinality constraint limits the maximum number of roles any user can have. Its dual, the permission-distribution cardinality constraint, limits the maximum number of roles to which a permission can belong. These two constraints impose mutually contradictory requirements on user to role and role to permission assignments. An attempt to satisfy one of the constraints may result in a violation of the other. We show that the constrained role mining problem is NP-Complete and present heuristic solutions. Two distinct frameworks are presented in this paper. In the first approach, roles are initially mined without taking the constraints into account. The user-role and role-permission assignments are then checked for constraint violation in a post-processing step, and appropriately re-assigned, if necessary. In the second approach, constraints are enforced during the process of role mining. The methods are first applied on problems that consider the two constraints individually, and then with both considered together. Both methods are evaluated over a number of real-world data sets.

[1]  Vijayalakshmi Atluri,et al.  Optimal Boolean Matrix Decomposition: Application to Role Engineering , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[2]  Ulrike Steffens,et al.  Role mining with ORCA , 2005, SACMAT '05.

[3]  Vijayalakshmi Atluri,et al.  The role mining problem: finding a minimal descriptive set of roles , 2007, SACMAT '07.

[4]  Jorge Lobo,et al.  Mining Roles with Multiple Objectives , 2010, TSEC.

[5]  Stelvio Cimato,et al.  Constrained Role Mining , 2012, STM.

[6]  Alessandro Colantonio,et al.  Role engineering: from theory to practice , 2012, CODASPY '12.

[7]  Robert E. Tarjan,et al.  Fast exact and heuristic methods for role minimization problems , 2008, SACMAT '08.

[8]  Stefan Meier,et al.  The Role Mining Process Model - Underlining the Need for a Comprehensive Research Perspective , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[9]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[10]  Bart Goethals,et al.  Tiling Databases , 2004, Discovery Science.

[11]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[12]  Alessandro Colantonio,et al.  A formal framework to elicit roles with business meaning in RBAC systems , 2009, SACMAT '09.

[13]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[14]  Shamik Sural,et al.  Mining RBAC Roles under Cardinality Constraint , 2010, ICISS.

[15]  Jorge Lobo,et al.  Mining roles with semantic meanings , 2008, SACMAT '08.

[16]  Joachim M. Buhmann,et al.  Multi-assignment clustering for Boolean data , 2009, ICML '09.

[17]  Vijayalakshmi Atluri,et al.  An Optimization Model for the Extended Role Mining Problem , 2011, DBSec.

[18]  Kotagiri Ramamohanarao,et al.  Role engineering using graph optimisation , 2007, SACMAT '07.

[19]  Shamik Sural,et al.  Towards role mining with restricted user-role assignment , 2011, 2011 2nd International Conference on Wireless Communication, Vehicular Technology, Information Theory and Aerospace & Electronic Systems Technology (Wireless VITAE).

[20]  Joachim M. Buhmann,et al.  A probabilistic approach to hybrid role mining , 2009, CCS.

[21]  Vijayalakshmi Atluri,et al.  Role Mining under Role-Usage Cardinality Constraint , 2012, SEC.

[22]  Jaideep Vaidya,et al.  RoleMiner: mining roles using subset enumeration , 2006, CCS '06.

[23]  Jorge Lobo,et al.  Evaluating role mining algorithms , 2009, SACMAT '09.

[24]  Vijayalakshmi Atluri,et al.  Constraint-Aware Role Mining via Extended Boolean Matrix Decomposition , 2012, IEEE Transactions on Dependable and Secure Computing.

[25]  Kotagiri Ramamohanarao,et al.  Permission Set Mining: Discovering Practical and Useful Roles , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[26]  Joachim M. Buhmann,et al.  Role Mining with Probabilistic Models , 2013, TSEC.

[27]  Daniël Paulusma,et al.  Covering graphs with few complete bipartite subgraphs , 2007, Theor. Comput. Sci..

[28]  Edward J. Coyne Role engineering , 1996, RBAC '95.

[29]  Alessandro Colantonio,et al.  A cost-driven approach to role engineering , 2008, SAC '08.