Towards user-oriented RBAC model

Role mining is to define a role set to implement the role-based access control RBAC system and regarded as one of the most important and costliest implementation phases. While various role mining models have been proposed, we find that user experience/perception --one ultimate goal for any information system --is surprisingly ignored by the existing works. One advantage of RBAC is to support multiple role assignments and allow a user to activate the necessary role to perform the tasks at each session. However, frequent role activating and deactivating can be a tendinous thing from the user perspective. A user-friendly RBAC system is expected to assign few roles to every user. So in this paper we propose to incorporate to the role mining process a user-role assignment constraint that mandates the maximum number of roles each user can have. Under this rationale, we formulate user-oriented role mining as the user role mining problem, where all users have the same maximal role assignments, the personalized role mining problem, where users can have different maximal role assignments, and the approximate versions of the two problems, which tolerate a certain amount of deviation from the complete reconstruction. The extra constraint on the maximal role assignments poses a great challenge to role mining, which in general is already a hard problem. We examine some typical existing role mining methods to see their applicability to our problems. In light of their insufficiency, we present a new algorithm, which is based on a novel dynamic candidate role generation strategy, tailored to our problems. Experiments on benchmark data sets demonstrate the effectiveness of our proposed algorithm.

[1]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[2]  Vijayalakshmi Atluri,et al.  Constraint-Aware Role Mining via Extended Boolean Matrix Decomposition , 2012, IEEE Transactions on Dependable and Secure Computing.

[3]  Andreas Schaad,et al.  Observations on the role life-cycle in the context of enterprise security management , 2002, SACMAT '02.

[4]  Vijayalakshmi Atluri,et al.  The role mining problem: finding a minimal descriptive set of roles , 2007, SACMAT '07.

[5]  Vijayalakshmi Atluri,et al.  An optimization framework for role mining , 2014, J. Comput. Secur..

[6]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[7]  Robert E. Tarjan,et al.  Fast exact and heuristic methods for role minimization problems , 2008, SACMAT '08.

[8]  Jorge Lobo,et al.  Mining roles with semantic meanings , 2008, SACMAT '08.

[9]  Joachim M. Buhmann,et al.  Multi-assignment clustering for Boolean data , 2009, ICML '09.

[10]  Vijayalakshmi Atluri,et al.  Edge-RMP: Minimizing administrative assignments for role-based access control , 2009, J. Comput. Secur..

[11]  Kami Brooks Migrating to role-based access control , 1999, RBAC '99.

[12]  E. B. Fernandez,et al.  Determining role rights from use cases , 1997, RBAC '97.

[13]  Bart Goethals,et al.  Tiling Databases , 2004, Discovery Science.

[14]  Edward J. Coyne Role engineering , 1996, RBAC '95.

[15]  Vijayalakshmi Atluri,et al.  Role Mining in the Presence of Noise , 2010, DBSec.

[16]  Jorge Lobo,et al.  Mining Roles with Multiple Objectives , 2010, TSEC.

[17]  Pauli Miettinen,et al.  The Discrete Basis Problem , 2006, IEEE Transactions on Knowledge and Data Engineering.

[18]  Jaideep Vaidya,et al.  RoleMiner: mining roles using subset enumeration , 2006, CCS '06.

[19]  Pauli Miettinen,et al.  The Discrete Basis Problem , 2008, IEEE Trans. Knowl. Data Eng..

[20]  Jorge Lobo,et al.  Evaluating role mining algorithms , 2009, SACMAT '09.

[21]  Vijayalakshmi Atluri,et al.  Optimal Boolean Matrix Decomposition: Application to Role Engineering , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[22]  Ulrike Steffens,et al.  Role mining with ORCA , 2005, SACMAT '05.

[23]  Joachim M. Buhmann,et al.  A class of probabilistic models for role engineering , 2008, CCS.

[24]  Vijayalakshmi Atluri,et al.  Extended Boolean Matrix Decomposition , 2009, 2009 Ninth IEEE International Conference on Data Mining.

[25]  William R. Claycomb,et al.  Toward role-based provisioning and access control for infrastructure as a service (IaaS) , 2011, Journal of Internet Services and Applications.

[26]  Yanjiang Yang,et al.  Towards user-oriented RBAC model , 2013, J. Comput. Secur..

[27]  Vijayalakshmi Atluri,et al.  The Role Hierarchy Mining Problem: Discovery of Optimal Role Hierarchies , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[28]  Ruixuan Li,et al.  Role mining based on weights , 2010, SACMAT '10.

[29]  Joachim M. Buhmann,et al.  A probabilistic approach to hybrid role mining , 2009, CCS.

[30]  Gerhard Schimpf,et al.  Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization , 2000, RBAC '00.

[31]  Yuan Qi,et al.  Mining roles with noisy data , 2010, SACMAT '10.

[32]  Nora Cuppens-Boulahia,et al.  Policy Mining: A Bottom-Up Approach toward a Model Based Firewall Management , 2013, ICISS.