Abstract
Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role-based access control. A key problem related to this is the notion of goodness/interestingness—when is a role good/interesting? In this article, we define the Role Mining Problem (RMP) as the problem of discovering an optimal set of roles from existing user permissions. The main contribution of this article is to formally define RMP and analyze its theoretical bounds. In addition to the above basic RMP, we introduce two different variations of the RMP, called the δ-Approx RMP and the minimal-noise RMP that have pragmatic implications. We reduce the known “Set Basis Problem” to RMP to show that RMP is an NP-complete problem. An important contribution of this article is also to show the relation of the RMP to several problems already identified in the data mining and data analysis literature. By showing that the RMP is in essence reducible to these known problems, we can directly borrow the existing implementation solutions and guide further research in this direction. We also develop a heuristic solution based on the previously proposed FastMiner algorithm, which is very accurate and efficient.
- Brooks, K. 1999. Migrating to role-based access control. In Proceedings of the 4th Workshop on Role-Based Access Control. ACM, New York, 71--81. Google ScholarDigital Library
- Coyne, E. J. 1996. Role engineering. In Proceedings of the 1st Workshop on Role-Based Access Control. ACM, New York, 4. Google ScholarDigital Library
- Damm, C., Kim, K. H., and Roush, F. 1999. On covering and rank problems for Boolean matrices and their applications. In Proceedings of the 5th Annual International Conference on Computing and Combinatorics. Springer-Verlag, Berlin, 123--133. Google ScholarDigital Library
- Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., and Jan, R. T. 2008. Fast exact and heuristic methods for role minimization problems. In Proceedings of the Symposium on Access Control Models and Technologies. ACM, New York. Google ScholarDigital Library
- Epstein, P. and Sandhu, R. 2001. Engineering of role/permission assignments. In Proceedings of the 17th Annual Computer Security Applications Conference. IEEE, Los Alamitos, CA, 127--136. Google ScholarDigital Library
- Fernandez, E. B. and Hawkins, J. C. 1997. Determining role rights from use cases. In Proceedings of the 2nd Workshop on Role-Based Access Control. ACM, New York, 121--125. Google ScholarDigital Library
- Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., and Chandramouli, R. 2001. Proposed nist standard for role-based access control. ACM Trans. Inform. Syst. Secur. 4, 3, 224--274. Google ScholarDigital Library
- Gallagher, M. P., O'Connor, A. C., and Kropp, B. 2002. The economic impact of role-based access control. Planning report 02-1, National Institute of Standards and Technology.Google Scholar
- Garey, M. R. and Johnson, D. S. 1979. Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, New York. Google ScholarDigital Library
- Geerts, F., Goethals, B., and Mielikainen, T. 2004. Tiling databases. In Discovery Science. Springer-Verlag, Berlin, 278--289.Google Scholar
- Han, J., Pei, J., and Yin, Y. 2000. Mining frequent patterns without candidate generation. In Proceedings of the International Conference on Management of Data. ACM, New York, 1--12. Google ScholarDigital Library
- Hochbaum, D. S. 1998. Approximating clique and biclique problems. J. Algorithms 29, 1, 174--200. Google ScholarDigital Library
- Kern, A., Kuhlmann, M., Schaad, A., and Moffett, J. 2002. Observations on the role lifecycle in the context of enterprise security management. In Proceedings of the 7th Symposium on Access Control Models and Technologies. ACM, New York, 43--51. Google ScholarDigital Library
- Kuhlmann, M., Shohat, D., and Schimpf, G. 2003. Role mining—revealing business roles for security administration using data mining technology. In Proceedings of the 8th Symposium on Access Control Models and Technologies. ACM, New York, 179--186. Google ScholarDigital Library
- Lu, H., Vaidya, J., and Atluri, V. 2008. Optimal Boolean matrix decomposition: Application to role engineering. In Proceedings of the 24th International Conference on Data Engineering. IEEE, Los Alamitos, CA, 297--306. Google ScholarDigital Library
- Markowsky, G. 1992. Ordering d-classes and computing schein rank is hard. Semi-Group Forum 44, 373--375.Google ScholarCross Ref
- Mielikäinen, T. 2003. Intersecting data to closed sets with constraints. In Proceedings of the Workshop on Frequent Itemset Mining Implementations. CEUR, The Netherlands.Google Scholar
- Miettinen, P. 2006. The discrete basis problem, master's thesis. M.S. thesis, University of Helsinki.Google Scholar
- Miettinen, P., Mielikainen, T., Gionis, A., Das, G., and Mannila, H. 2006. The discrete basis problem. In Proceedings of the 10th European Conference on Principles and Knowledge Discovery in Databases. Springer, Berlin, 335--346. Google ScholarDigital Library
- Mishra, N., Ron, D., and Swaminathan, R. 2003. On finding large conjunctive clusters. In Learning Theory and Kernel Machines: Proceedings of the 16th Annual Conference on Learning Theory and 7th Kernel Workshop (COLT/Kernel'03). Springer, Berlin, 448--462.Google Scholar
- Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., and Lobo, J. 2008. Mining roles with semantic meanings. In Proceedings of the 13th Symposium on Access Control Models and Technologies. ACM, New York, 21--30. Google ScholarDigital Library
- Neumann, G. and Strembeck, M. 2002. A scenario-driven role engineering process for functional rbac roles. In Proceedings of the 7th Symposium on Access Control Models and Technologies. ACM, New York, 33--42. Google ScholarDigital Library
- Pan, F., Cong, G., Tung, A. K. H., Yang, J., and Zaki, M. J. 2003. Carpenter: Finding closed patterns in long biological datasets. In Proceedings of the 9th International Conference on Knowledge Discovery and Data Mining. ACM, New York, 637--642. Google ScholarDigital Library
- Peeters, R. 2003. The maximum edge biclique problem is np-complete. Discrete Appl. Math. 131, 3, 651--654. Google ScholarDigital Library
- Roeckle, H., Schimpf, G., and Weidinger, R. 2000. Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In Proceedings of the 5th Workshop on Role-based Access Control. ACM, New York, 103--110. Google ScholarDigital Library
- Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-based access control models. IEEE Computer 29, 2, 38--47. Google ScholarDigital Library
- Schaad, A., Moffett, J., and Jacob, J. 2001. The role-based access control system of a European bank: a case study and discussion. In Proceedings of the 6th Symposium on Access Control Models and Technologies. ACM, New York, 3--9. Google ScholarDigital Library
- Schlegelmilch, J. and Steffens, U. 2005. Role mining with orca. In Proceedings of the 10th Symposium on Access Control Models and Technologies. ACM, New York, 168--176. Google ScholarDigital Library
- Shin, D., Ahn, G.-J., Cho, S., and Jin, S. 2003. On modeling system-centric information for role engineering. In Proceedings of the 8th Symposium on Access Control Models and Technologies. ACM, New York, 169--178. Google ScholarDigital Library
- Thomsen, D., O'Brien, R., and Bogle, J. 1998. Role-based access control framework for network enterprises. In Proceedings of the 14th Annual Computer Security Applications Conference. IEEE, Los Alamitos, CA, 50--58. Google ScholarDigital Library
- Vaidya, J., Atluri, V., and Warner, J. 2006. Roleminer: Finding roles using subset enumeration. In Proceedings of the 13th Conference on Computer and Communications Security. ACM, New York. Google ScholarDigital Library
Index Terms
- The role mining problem: A formal perspective
Recommendations
Evaluating role mining algorithms
SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologiesWhile many role mining algorithms have been proposed in recent years, there lacks a comprehensive study to compare these algorithms. These role mining algorithms have been evaluated when they were proposed, but the evaluations were using different ...
On the definition of role mining
SACMAT '10: Proceedings of the 15th ACM symposium on Access control models and technologiesThere have been many approaches proposed for role mining. However, the problems solved often differ due to a lack of consensus on the formal definition of the role mining problem. In this paper, we provide a detailed analysis of the requirements for ...
Role mining with ORCA
SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologiesWith continuously growing numbers of applications, enterprises face the problem of efficiently managing the assignment of access permissions to their users. On the one hand, security demands a tight regime on permissions; on the other hand, users need ...
Comments