Abstract
Security managers in large organizations must manage the access of tens of thousands of employees on diverse data. Databases store the access control information but the security officers use essentially manual techniques to determine who has too much access and why. We call this task the Audit Problem. The security research community has offered promising frameworks such as role-based access control, but these still leave open the problems of designing the roles and determining group memberships and of demonstrating that there are substantial benefits to be reaped from making a change.
In this paper, we propose a data-mining approach that includes an algorithm that starts with a set of atomic permissions of the form (user, asset, privilege) and derives a smaller but equivalent set (user group, asset group, privilege group). The asset and privilege groups so identified constitute promising roles. The users so identified constitute useful groups.
In this paper we report on actual experience with actual corporate access control data. We built a production role-based access control authorization service, storing the tables in a relational database and transmitting queries as XML ‘documents’ over MQ message queues.
Our experiments show that the proposed algorithm can reduce the number of permission assertions by a factor of between 10 and 100. With such a reduction, the Audit Problem is brought from the absurd to the plausible.
Chapter PDF
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
6. References
“Role Based Access Control,” D. Ferraiolo and R. Kuhn, NIST, http://hissa.ncsl.nist.gov/rbac/
“Guide to the SQL Standard,” H. Darwen and C. J. Date, 1997, Addison-Wesley, ISBN 0201964260.
“A Unified Framework For Enforcing Multiple Access Control Policies,” S. Jajoida, P. Samarati, V. S. Subrahmanian, and E. Bertino, Proceedings of ACM SIGMOD International Conference on Management of Data, 1997, pp 474–485
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Kluwer Academic Publishers
About this chapter
Cite this chapter
Donner, M., Nochlin, D., Shasha, D., Walasek, W. (2002). Algorithms and Experience in Increasing the Intelligibility and Hygiene of Access Control in Large Organizations. In: Thuraisingham, B., van de Riet, R., Dittrich, K.R., Tari, Z. (eds) Data and Application Security. IFIP International Federation for Information Processing, vol 73. Springer, Boston, MA. https://doi.org/10.1007/0-306-47008-X_26
Download citation
DOI: https://doi.org/10.1007/0-306-47008-X_26
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-7923-7514-2
Online ISBN: 978-0-306-47008-0
eBook Packages: Springer Book Archive