ABSTRACT
In recent years role-based access control (RBAC) has been spreading within organizations. However, companies still have considerable difficulty migrating to this model, due to the complexity involved in identifying a set of roles fitting the real needs of the company. All the various role engineering methods proposed thus far lack a metric for measuring the "quality" of candidate roles produced. This paper proposes a new approach guided by a cost-based metric, where "cost" represents the effort to administer the resulting RBAC. Further, we propose REAM (Role-Based Association-rule Mining), an algorithm leveraging the cost metric to find candidate role-sets with the lowest possible administration cost. For a specific parameter set, RBAM behaves as already existing role mining algorithms and is, worst case, NP-complete. Yet, we will provide several examples showing the sensibility of assumptions made by the algorithm. Further, application of the algorithm to real data will highlight the improvements over current solutions. Finally, we comment on the direction of future research.
- R. Agrawal and R. Srikant. Fast algorithms for mining association rules. In J. B. Bocca, M. Jarke, and C. Zaniolo, editors, Proceedings on the 20th International Conference on Very Large Data Bases, VLDB, pages 487--499. Morgan Kaufmann, Dec. 1994. Google ScholarDigital Library
- ANSI/INCITS 359-2004, information technology-role based access control. InterNational Committee for Information Technology Standards (INCITS), 2004.Google Scholar
- E. Bertino, C. Bettini, E. Ferrari, and P. Samarati. An access control model supporting periodicity constraints and temporal reasoning. ACM Transactions on Database Systems, 23(3):231--285, 1998. Google ScholarDigital Library
- E. J. Coyne. Role-engineer ing. In Proceedings of the 1st ACM Workshop on Role-Based Access Control, 1995. Google ScholarDigital Library
- P. Epstein and R. Sandhu. Engineering of role/permission assignments. In Proceedings of the 17th Annual Computer Security Applications Conference, pages 127--136. IEEE Computer Society, Dec. 2001. Google ScholarDigital Library
- D. F. Ferraiolo, J. F. Barkley, and D. R. Kuhn. A role-based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and System Security, 2(1):34--64, Feb. 1999. Google ScholarDigital Library
- D. F. Ferraiolo and R. Kuhn. Role-based access controls. In Proceedings of the 15th NIST-NSA National Computer Security Conference, pages 554--563, Baltimore, MD, USA, Oct. 1992.Google Scholar
- M. P. Gallagher, A. O'Connor, and B. Kropp. The economic impact of role-based access control. Technical report, Planning report 02-1, National Institute of Standards and Technology (NIST), 2002.Google Scholar
- A. Kern, M. Kuhlmann, A. Schaad, and J. Moffett. Observations on the role life-cycle in the context of enterprise security management. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, Monterey, CA, USA, June 2002. Google ScholarDigital Library
- M. Kuhlmann, D. Shohat, and G. Schimpf. Role mining -- revealing business roles for security administration using data mining technology. In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies, pages 179--186, New York, NY, USA, 2003. ACM Press. Google ScholarDigital Library
- G. Neumann and M. Strembeck. A scenario-driven role engineering process for functional rbac roles. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, 2002. Google ScholarDigital Library
- H. Röckle. Role-finding/role-engineering. In Proceedings of the 5th ACM Workshop on Role-Based Access Control, page 68, Berlin, Germany, 2000. Google ScholarDigital Library
- H. Röckle, G. Schimpf, and R. Weidinger. Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In Proceedings of the 5th ACM Workshop on Role-Based Access Control, volume 3, pages 103--110, Berlin, Germany, 2000. Google ScholarDigital Library
- R. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996. Google ScholarDigital Library
- G. Schimpf. Role-engineering: Critical success factors for enterprise security administration, Dec. 2000. Position paper for {13}.Google Scholar
- J. Schlegelmilch and U. Steffens. Role mining with ORCA. In Proceedings of the 10th ACM Symposium on Access Control Models and Technologies, pages 168--176, New York, NY, USA, 2005. ACM Press. Google ScholarDigital Library
- J. Vaidya, V. Atluri, and Q. Guo. The role mining problem: finding a minimal descriptive set of roles. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pages 175--184, New York, NY, USA, 2007. ACM Press. Google ScholarDigital Library
- J. Vaidya, V. Atluri, and J. Warner. Roleminer: mining roles using subset enumeration. In Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 144--153, New York, NY, USA, 2006. ACM Press. Google ScholarDigital Library
- G. Yang. Computational aspects of mining maximal frequent patterns. Theoretical Computer Science, 362(1):63--85, 2006. Google ScholarDigital Library
- D. Zhang, K. Ramamohanarao, and T. Ebringer. Role engineering using graph optimisation. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pages 139--144, New York, NY, USA, 2007. ACM Press. Google ScholarDigital Library
Index Terms
- A cost-driven approach to role engineering
Recommendations
Role mining with ORCA
SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologiesWith continuously growing numbers of applications, enterprises face the problem of efficiently managing the assignment of access permissions to their users. On the one hand, security demands a tight regime on permissions; on the other hand, users need ...
Role Engineering via Prioritized Subset Enumeration
Today, role-based access control (RBAC) has become a well-accepted paradigm for implementing access control because of its convenience and ease of administration. However, in order to realize the full benefits of the RBAC paradigm, one must first define ...
Edge-RMP: Minimizing administrative assignments for role-based access control
Because of its ease of administration, role-based access control (RBAC) has become the norm to enforcing security in most of today's organizations. For implementing RBAC, it is important to devise a complete and correct set of roles. This task, known as ...
Comments