Mining RBAC Roles under Cardinality Constraint

Role Based Access Control (RBAC) is an effective way of managing permissions assigned to a large number of users in an enterprise. In order to deploy RBAC, a complete and correct set of roles needs to be identified from the existing user permission assignments, keeping the number of roles low. This process is called role mining. After the roles are mined, users are assigned to these roles. While implementing RBAC, it is often required that a single role is not assigned a large number of permissions. Else, any user assigned to that role will be overburdened with too many operations. In this paper, we propose a heuristic bottom-up constrained role mining scheme that satisfies a cardinality condition that no role contains more than a given number of permissions. We compare its results with eight other recently proposed role mining algorithms. It is seen that the proposed scheme always satisfies the cardinality constraint and generates the least number of roles among all the algorithms studied.

[1]  Jorge Lobo,et al.  Mining roles with semantic meanings , 2008, SACMAT '08.

[2]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[3]  Vijayalakshmi Atluri,et al.  Optimal Boolean Matrix Decomposition: Application to Role Engineering , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[4]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[5]  Andreas Schaad,et al.  Observations on the role life-cycle in the context of enterprise security management , 2002, SACMAT '02.

[6]  Günther Pernul,et al.  HyDRo - Hybrid Development of Roles , 2008, ICISS.

[7]  Jaideep Vaidya,et al.  RoleMiner: mining roles using subset enumeration , 2006, CCS '06.

[8]  Alessandro Colantonio,et al.  A formal framework to elicit roles with business meaning in RBAC systems , 2009, SACMAT '09.

[9]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[10]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[11]  Seunghun Jin,et al.  On modeling system-centric information for role engineering , 2003, SACMAT '03.

[12]  Vijayalakshmi Atluri,et al.  The role mining problem: finding a minimal descriptive set of roles , 2007, SACMAT '07.

[13]  Ulrike Steffens,et al.  Role mining with ORCA , 2005, SACMAT '05.

[14]  E. B. Fernandez,et al.  Determining role rights from use cases , 1997, RBAC '97.

[15]  Robert E. Tarjan,et al.  Fast exact and heuristic methods for role minimization problems , 2008, SACMAT '08.

[16]  Jorge Lobo,et al.  Evaluating role mining algorithms , 2009, SACMAT '09.

[17]  Adrian Baldwin,et al.  Towards a more complete model of role , 1998, RBAC '98.

[18]  Edward J. Coyne Role engineering , 1996, RBAC '95.

[19]  Jorge Lobo,et al.  Mining Roles with Multiple Objectives , 2010, TSEC.

[20]  Kotagiri Ramamohanarao,et al.  Role engineering using graph optimisation , 2007, SACMAT '07.

[21]  Gerhard Schimpf,et al.  Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization , 2000, RBAC '00.

[22]  Kotagiri Ramamohanarao,et al.  Permission Set Mining: Discovering Practical and Useful Roles , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).