The role mining problem: finding a minimal descriptive set of roles

Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role based access control. A key problem related to this is the notion of goodness/interestingness -- when is a role good/interesting? In this paper, we define the role mining problem (RMP) as the problem of discovering an optimal set of roles from existing user permissions. The main contribution of this paper is to formally define RMP, and analyze its theoretical bounds. In addition to the above basic RMP, we introduce two different variations of the RMP, called the δ-approx RMP and the Minimal Noise RMP that have pragmatic implications. We reduce the known "set basis problem" to RMP to show that RMP is an NP-complete problem. An important contribution of this paper is also to show the relation of the role mining problem to several problems already identified in the data mining and data analysis literature. By showing that the RMP is in essence reducible to these known problems, we can directly borrow the existing implementation solutions and guide further research in this direction.

[1]  Jaideep Vaidya,et al.  RoleMiner: mining roles using subset enumeration , 2006, CCS '06.

[2]  Anthony K. H. Tung,et al.  Carpenter: finding closed patterns in long biological datasets , 2003, KDD '03.

[3]  M. Gallaher,et al.  The Economic Impact of Role-Based Access Control , 2002 .

[4]  Dorit S. Hochbaum,et al.  Approximating Clique and Biclique Problems , 1998, J. Algorithms.

[5]  Edward J. Coyne Role engineering , 1996, RBAC '95.

[6]  Dana Ron,et al.  On Finding Large Conjunctive Clusters , 2003, COLT.

[7]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[8]  René Peeters,et al.  The maximum edge biclique problem is NP-complete , 2003, Discret. Appl. Math..

[9]  Jian Pei,et al.  Mining frequent patterns without candidate generation , 2000, SIGMOD '00.

[10]  Jeremy L. Jacob,et al.  The role-based access control system of a European bank: a case study and discussion , 2001, SACMAT '01.

[11]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[12]  Andreas Schaad,et al.  Observations on the role life-cycle in the context of enterprise security management , 2002, SACMAT '02.

[13]  Pauli Miettinen,et al.  The Discrete Basis Problem , 2006, IEEE Transactions on Knowledge and Data Engineering.

[14]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[15]  George Markowsky Ordering D-classes and computing Schein rank is hard , 1992 .

[16]  Ulrike Steffens,et al.  Role mining with ORCA , 2005, SACMAT '05.

[17]  Ki Hang Kim,et al.  On Covering and Rank Problems for Boolean Matrices and Their Applications , 1999, COCOON.

[18]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[19]  Michael P. Gallaher,et al.  Planning Report 02-1: The Economic Impact of Role-Based Access Control | NIST , 2002 .

[20]  Taneli Mielikäinen Intersecting data to closed sets with constraints , 2003, FIMI.

[21]  Bart Goethals,et al.  Tiling Databases , 2004, Discovery Science.