Permission Set Mining: Discovering Practical and Useful Roles

Role based access control is an efficient and effective way to manage and govern permissions to a large number of users. However, defining a role infrastructure that accurately reflects the internal functionalities and workings of a large enterprise is a challenging task. Recent research has focused on the theoretical components of automated role identification while practical applications for identifying roles remain unsolved.This research proposes a practical data mining heuristic method that is fast, scalable and capable of identifying comprehensive roles and placing them into a hierarchy. Permission set pattern data mining can be used to identify the roles with partial orderings that cover the largest portion of user permissions within a system. We test the algorithm on real user permission assignments as well as on generated data sets. Roles identified in test sets cover up to 85% of user permissions and analysis show the roles offer significant administrative benefit. We find interesting correlations between roles and their relationships and analyse the tradeoffs between identifying roles with complete coverage to identifying roles that are most effective and offer significant administrative benefit.

[1]  Jorge Lobo,et al.  Mining roles with semantic meanings , 2008, SACMAT '08.

[2]  John F. Roddick,et al.  Association mining , 2006, CSUR.

[3]  American National Standard for Information Technology – Role Based Access Control , 2004 .

[4]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[5]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[6]  Jaideep Vaidya,et al.  RoleMiner: mining roles using subset enumeration , 2006, CCS '06.

[7]  Kotagiri Ramamohanarao,et al.  Role engineering using graph optimisation , 2007, SACMAT '07.

[8]  Gerhard Schimpf,et al.  Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization , 2000, RBAC '00.

[9]  Vijayalakshmi Atluri,et al.  The role mining problem: finding a minimal descriptive set of roles , 2007, SACMAT '07.

[10]  Petra Perner,et al.  Data Mining - Concepts and Techniques , 2002, Künstliche Intell..

[11]  Edward J. Coyne Role engineering , 1996, RBAC '95.

[12]  Robert E. Tarjan,et al.  Fast exact and heuristic methods for role minimization problems , 2008, SACMAT '08.

[13]  E. B. Fernandez,et al.  Determining role rights from use cases , 1997, RBAC '97.

[14]  Vijayalakshmi Atluri,et al.  Optimal Boolean Matrix Decomposition: Application to Role Engineering , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[15]  Ulrike Steffens,et al.  Role mining with ORCA , 2005, SACMAT '05.

[16]  Jian Pei,et al.  Mining Frequent Patterns without Candidate Generation: A Frequent-Pattern Tree Approach , 2006, Sixth IEEE International Conference on Data Mining - Workshops (ICDMW'06).