Mario Frank
David Basin
ABSTRACT
Role Engineering is a security-critical task for systems using role-based access control (RBAC). Different role-mining approaches have been proposed that attempt to automatically infer appropriate roles from existing user-permission assignments. However, these approaches are mainly combinatorial and lack an underlying probabilistic model of the domain. We present the first probabilistic model for RBAC. Our model defines a general framework for expressing user permission assignments and can be specialized to different domains by limiting its degrees of freedom with appropriate constraints. For one practically important instance of this framework, we show how roles can be inferred from data using a state-of-the-art machine-learning algorithm. Experiments on both randomly generated and real-world data provide evidence that our approach not only creates meaningful roles but also identifies erroneous user-permission assignments in given data.
- R. Agrawal, T. Imielinski, and A. Swami. Mining association rules between sets of items in large databases. SIGMOD Rec., 22(2):207?-216, 1993. Google Scholar
Digital Library
- C. E. Antoniak. Mixtures of Dirichlet processes with applications to Bayesian nonparametric problems. The Annals of Statistics, 2(6):1152?-1174, November 1974.Google ScholarCross Ref
- T. M. Cover and J. A. Thomas. Elements of information theory. Wiley-Interscience, New York, NY, USA, 1991. Google ScholarDigital Library
- E. J. Coyne. Role engineering. In RBAC '95: Proceedings of the first ACM Workshop on Role-based access control, page 4, New York, NY, USA, 1996. ACM. Google ScholarDigital Library
- P. Epstein and R. Sandhu. Engineering of role/permission assignments. In ACSAC '01: Proceedings of the 17th Annual Computer Security Applications Conference, page 127, Washington, DC, USA, 2001. IEEE Computer Society. Google ScholarDigital Library
- T. S. Ferguson. A Bayesian analysis of some nonparametric problems. Annals of Statistics, 1(2):209?-230, 1973.Google ScholarCross Ref
- D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur., 4(3):224-?274, 2001. Google ScholarDigital Library
- J. F. Gimpel. The minimization of spatially-multiplexed character sets. Commun. ACM, 17(6):315?-318, 1974. Google ScholarDigital Library
- C. Kemp, J. B. Tenenbaum, T. L. Griffths, T. Yamada, and N. Ueda. Learning systems of concepts with an infinite relational model. In Proceedings of the 21st National Conference on Artificial Intelligence, 2006. Google ScholarDigital Library
- M. Kuhlmann, D. Shohat, and G. Schimpf. Role mining - revealing business roles for security administration using data mining technology. In SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies, pages 179?-186, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
- H. Lu, J. Vaidya, and V. Atluri. Optimal Boolean matrix decomposition: Application to role engineering. In Proceedings of the 24th International Conference on Data Engineering (ICDE), pages ?, 2008. Google ScholarDigital Library
- P. Miettinen, T. Mielik¨ainen, A. Gionis, G. Das, and H. Mannila. The Discrete Basis Problem. In Lecture Notes in Artificial Intelligence, pages 335?-346, Berlin, Germany, 2006. Springer. Google ScholarDigital Library
- R. M. Neal. Markov chain sampling methods for Dirichlet process mixture models. Journal of Computational and Graphical Statistics, 9(2):249-?265, 2000.Google Scholar
- G. Neumann and M. Strembeck. A scenario-driven role engineering process for functional RBAC roles. In SACMAT '02: Proceedings of the seventh ACM symposium on Access control models and technologies, pages 33?-42, New York, NY, USA, 2002. ACM. Google ScholarDigital Library
- J. Schlegelmilch and U. Steffens. Role mining with ORCA. In SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologies, pages 168?-176, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- J. Vaidya, V. Atluri, and Q. Guo. The Role Mining Problem: Finding a minimal descriptive set of roles. In The Twelth ACM Symposium on Access Control Models and Technologies, pages 175-?184, Sophia Antipolis, France, June 20-22 2007. Google ScholarDigital Library
- J. Vaidya, V. Atluri, and J. Warner. Roleminer: Mining roles using subset enumeration. In CCS '06: Proceedings of the 13th ACM Conference on Computer and Communications Security, New York, NY, USA, 2006. ACM Press. Google ScholarDigital Library
- D. Zhang, K. Ramamohanarao, and T. Ebringer. Role engineering using graph optimisation. In SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies, pages 139?-144, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
Index Terms
- A class of probabilistic models for role engineering
Recommendations
A probabilistic approach to hybrid role mining
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityRole mining algorithms address an important access control problem: configuring a role-based access control system. Given a direct assignment of users to permissions, role mining discovers a set of roles together with an assignment of users to roles. ...
Role Mining with Probabilistic Models
Role mining tackles the problem of finding a role-based access control (RBAC) configuration, given an access-control matrix assigning users to access permissions as input. Most role-mining approaches work by constructing a large set of candidate roles ...
Edge-RMP: Minimizing administrative assignments for role-based access control
Because of its ease of administration, role-based access control (RBAC) has become the norm to enforcing security in most of today's organizations. For implementing RBAC, it is important to devise a complete and correct set of roles. This task, known as ...
Comments