Abstract
For a given role-based access control (RBAC) configuration, user-role assignment satisfying least privilege principle (specified as LPUAP) is one of the most important problems to be solved in information security. LPUAP has been proved to be NP-hard. This paper gives several efficient greedy algorithms for handling this problem. Experiment results show that the output of our algorithms is almost optimal while the running time is greatly reduced. In another case where a RBAC configuration is to be set up, minimizing the descriptive set of roles (specified as Basic-RMP) and minimizing the administrative assignments for roles (specified as Edge-RMP) can greatly decrease the management costs. Both role mining problems (i.e., Basic-RMP and Edge-RMP) have also been proved to be NP-hard. This paper converts Basic-RMP to set cover problem and Edge-RMP to weighted set cover problem, and two algorithms respectively named \(GA_{Basic}\) algorithm for Basic-RMP and \(GA_{Edge}\) algorithm for Edge-RMP, are designed. Experiment results show that the average similarity rate between role sets produced by \(GA_{Basic}\) algorithm and the original ones used in generating the dataset is above 90 %. However, in the process of converting role mining into Set Cover Problem, the number of candidate role set is very large. In order to reduce the complexity of the \(GA_{Basic}\) algorithm, this paper presents a new polynomial-time algorithm with a performance nearly the same as that of \(GA_{Basic}\) algorithm.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Awischus R (1997) Role based access control with the security administration manager (sam). In: Proceedings of the second ACM workshop on role-based access control, ACM, New York, pp 61–68
Barka E, Sandhu R (2004) Role-based delegation model/hierarchical roles (rbdm1). In: 20th annual computer security applications conference, IEEE Computer Society, Los Alamitos, pp 396–404
Chen L, Crampton J (2007) Inter-domain role mapping and least privilege. In: SACMAT ’07: Proceedings of the 12th ACM symposium on access control models and technologies, ACM Press, New York, pp 157–162
Cimato S (2010) A simple role mining algorithm. In: Proceedings of the 2010 ACM symposium on applied computing, Sierre, Switzerland, march 22–26, 2010. Association for Computer, Machinery
Colantonio A, Di Pietro R, Ocello A, Verde N (2009) Mining stable roles in rbac. Emerging challenges for security, privacy and trust, Springer, Berlin, pp 259–269
Coyne E (1996) Role engineering. In: Proceedings of the first ACM workshop on role-based access control, ACM, New York, p 4
Dana Z, Ramamohanarao K, Ebringer T (2007) Role engineering using graph optimization. In: Proceedings of the 12th ACM symposium on access control models and technologies. Sophia Antipolis, France:[sn], pp 139–144
Du D, Ko K, Hu X (2012) Design and analysis of approximation algorithms. Springer, Berlin
Ene A, Horne W, Milosavljevic N, Rao P, Schreiber R, Tarjan R (2008) Fast exact and heuristic methods for role minimization problems. In: Proceedings of the 13th ACM symposium on access control models and technologies, ACM, New York, pp 1–10
Fernandez E, Hawkins J (1997) Determining role rights from use cases. In: Proceedings of the second ACM workshop on role-based access control, ACM, New York, pp 121–125
Ferraiolo D, Sandhu R, Gavrila S, Kuhn D, Chandramouli R (2001) Proposed nist standard for role-based access control. ACM Trans Inf Syst Securit (TISSEC) 4(3):224–274
Ferraiolo D, Sandhu R, Gavrila S, Kuhn R (2001) Proposed nist standard for role-based access control. ACM Trans Inf Syst Secur 4(3):224–274
Gély A, Nourine L, Sadi B (2009) Enumeration aspects of maximal cliques and bicliques. Discret Appl Math 157(7):1447–1459
Huang H, Kirchner H (2011) Formal specification and verification of modular security policy based on colored petri nets. IEEE Trans Depend Secur Comput 8(6):852–865
Kuhlmann M, Shohat D, Schimpf G (2003) Role mining-revealing business roles for security administration using data mining technology. In: Proceedings of the eighth ACM symposium on access control models and technologies, ACM, New York, pp 179–186
Lai C (2007) Quantitative enforcement of the principle of least privilege in rbac and an efficient fault tolerant cryptosystem. Ph.D. thesis, University of Regina
Lu H, Vaidya J, Atluri V (2008) Optimal boolean matrix decomposition: application to role engineering. In: 24th international conference on data, engineering
Molloy I, Chen H, Li T, Wang Q, Li N, Bertino E, Calo S, Lobo J (2008) Mining roles with semantic meanings. In: Proceedings of the 13th ACM symposium on access control models and technologies, ACM, New York, pp. 21–30
Molloy I, Li N, Li T, Mao Z, Wang Q, Lobo J (2009) Evaluating role mining algorithms. In: Proceedings of the 14th ACM symposium on access control models and technologies, ACM , New York, pp 95–104
Nemhauser G, Wolsy L (1999) Interger and combinatorial optimization. Wiley, New York
Schreiber R (2012) http://www.hpl.hp.com/personal/Robert_Schreiber/. Accessed 3 Jan 2012
Schlegelmilch J, Steffens U (2005) Role mining with orca. In: Proceedings of the tenth ACM symposium on access control models and technologies, ACM, New York, pp 168–176
Shin D, Ahn G, Cho S, Jin S (2003) On modeling system-centric information for role engineering. In: Proceedings of the eighth ACM symposium on access control models and technologies, ACM, New York, pp 169–178
Sun Y, Wang Q, Li N (2011) On the complexity of authorizaiton in rbac under qualification and security costraints. IEEE Trans Depend Secur Comput 8(6):883–897
Tassey G, Gallaher M, O’connor A, Kropp B (2002) The economic impact of role-based access control. Economic Analysis
Vaidya J, Atluri V, Guo Q (2007) The role mining problem: finding a minimal descriptive set of roles. In: Proceedings of the 12th ACM symposium on access control models and technologies, ACM, New York, pp 175–184
Vaidya J, Atluri V, Guo Q, Adam N (2008) Migrating to optimal rbac with minimal perturbation. In: Proceedings of the 13th ACM symposium on access control models and technologies, ACM , New York, pp 11–20
Vaidya J, Atluri V, Guo Q, Lu H (2009) Edge-rmp: minimizing administrative assignments for role-based access control. J Comput Secur 17(2):211–235
Vaidya J, Atluri V, Warner J (2006) Roleminer: mining roles using subset enumeration. In: CCS 2006: In: Proceedings of the 13th ACM conference on computer and communications security, Association for Computing Machinery, New York, pp 144–153
Vanamali S (2008) Role engineering: the cornerstone of role based access control. Tech rep, CA
Wainer J, Kumar A (2005) A fine-grained, controllable, user-to-user delegation method in rbac. In: Proceedings of the 10th ACM symposium on access control models and technologies, ACM, New York, pp 59–66
Wan P, Du D, Pardalos P, Wu W (2010) Greedy approximations for minimum submodular cover with submodular cost. Comput Optim Appl 45(2):463–474
Xue K, Tang S, Ge L (2007) Least-privilege-based access control model for job execution in grid. In: ISDPE. IEEE Computer Society, Los Alamitos, pp 301–303
Zhang D, Ramamohanarao K, Ebringer T, Yann T (2008) Permission set mining: Discovering practical and useful roles. In: 2008 annual computer security applications conference, IEEE Computer Society, Los Alamitos, pp 247–256
Acknowledgments
This study was financially supported by National Natural Science Foundation of China with Grant No. 11071271 and No. 61100191, and Shenzhen Strategic Emerging Industries Program with Grant Nos. ZDSY20120613125016389 and JCYJ20120613151201451.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Huang, H., Shang, F., Liu, J. et al. Handling least privilege problem and role mining in RBAC. J Comb Optim 30, 63–86 (2015). https://doi.org/10.1007/s10878-013-9633-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10878-013-9633-9