Delta Analysis of Role-Based Access Control Models

Role-based Access Control (RBAC) is de facto standard for access control in Process-aware Information Systems (PAIS); it grants authorization to users based on roles (i.e. sets of permissions). So far, research has centered on the design and run time aspects of RBAC. An evaluation and verification of a RBAC system (e.g., to evaluate ex post which users acting in which roles were authorized to execute permissions) is still missing. In this paper, we propose delta analysis of RBAC models which compares a prescriptive RBAC model (i.e. how users are expected to work) with a RBAC model (i.e. how users have actually worked) derived from event logs. To do that, we transform RBAC models to graphs and analyze them for structural similarities and differences. Differences can indicate security violations such as unauthorized access. For future work, we plan to investigate semantic differences between RBAC models.

[1]  Akhil Kumar,et al.  W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints , 2003, Int. J. Cooperative Inf. Syst..

[2]  Stefanie Rinderle-Ma,et al.  SPRINT- Responsibilities: Design and Development of Security Policies in Process-aware Information Systems , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[3]  Stefanie Rinderle-Ma,et al.  AW-RBAC: Access Control in Adaptive Workflow Systems , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[4]  Stefanie Rinderle-Ma,et al.  Balancing Flexibility and Security in Adaptive Process Management Systems , 2005, OTM Conferences.

[5]  Wil M. P. van der Aalst,et al.  Business alignment: using process mining as a tool for Delta analysis and conformance testing , 2005, Requirements Engineering.

[6]  Xuelong Li,et al.  A survey of graph edit distance , 2010, Pattern Analysis and Applications.

[7]  Jeremy L. Jacob,et al.  The role-based access control system of a European bank: a case study and discussion , 2001, SACMAT '01.

[8]  Horst Bunke,et al.  Matching graphs with unique node labels , 2004, Pattern Analysis and Applications.

[9]  Wil M. P. van der Aalst,et al.  Towards comprehensive support for organizational mining , 2008, Decis. Support Syst..

[10]  Wil M. P. van der Aalst,et al.  Process Mining - Discovery, Conformance and Enhancement of Business Processes , 2011 .

[11]  Luigi V. Mancini,et al.  A Formal Model for Role-Based Access Control Using Graph Transformation , 2000, ESORICS.

[12]  Wineke A. M. van Lent,et al.  Similarity of business process models : metrics and evaluation , 2009 .

[13]  Vijayalakshmi Atluri,et al.  The role mining problem: finding a minimal descriptive set of roles , 2007, SACMAT '07.

[14]  Mario Vento,et al.  Thirty Years Of Graph Matching In Pattern Recognition , 2004, Int. J. Pattern Recognit. Artif. Intell..

[15]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[16]  Rafael Accorsi,et al.  On the exploitation of process mining for security audits: the conformance checking case , 2012, SAC '12.

[17]  Mathias Weske,et al.  Business Process Management: Concepts, Languages, Architectures , 2007 .

[18]  Mark Strembeck,et al.  A Case Study on the Suitability of Process Mining to Produce Current-State RBAC Models , 2012, Business Process Management Workshops.

[19]  Kotagiri Ramamohanarao,et al.  Role engineering using graph optimisation , 2007, SACMAT '07.

[20]  Horst Bunke,et al.  A graph distance metric based on the maximal common subgraph , 1998, Pattern Recognit. Lett..

[21]  Maria Leitner Security Policies in Adaptive Process-Aware Information Systems: Existing Approaches and Challenges , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[22]  Vijayalakshmi Atluri,et al.  Security for Workflow Systems , 2008, Handbook of Database Security.

[23]  Mark Strembeck,et al.  An Approach to Bridge the Gap between Role Mining and Role Engineering via Migration Guides , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[24]  Horst Bunke,et al.  Inexact graph matching for structural pattern recognition , 1983, Pattern Recognit. Lett..