Abstract
With the growing adoption of Role-Based Access Control (RBAC) in commercial security and identity management products, how to facilitate the process of migrating a non-RBAC system to an RBAC system has become a problem with significant business impact. Researchers have proposed to use data mining techniques to discover roles to complement the costly top-down approaches for RBAC system construction. An important problem is how to construct RBAC systems with low complexity. In this article, we define the notion of weighted structural complexity measure and propose a role mining algorithm that mines RBAC systems with low structural complexity. Another key problem that has not been adequately addressed by existing role mining approaches is how to discover roles with semantic meanings. In this article, we study the problem in two primary settings with different information availability. When the only information is user-permission relation, we propose to discover roles whose semantic meaning is based on formal concept lattices. We argue that the theory of formal concept analysis provides a solid theoretical foundation for mining roles from a user-permission relation. When user-attribute information is also available, we propose to create roles that can be explained by expressions of user-attributes. Since an expression of attributes describes a real-world concept, the corresponding role represents a real-world concept as well. Furthermore, the algorithms we propose balance the semantic guarantee of roles with system complexity. Finally, we indicate how to create a hybrid approach combining top-down candidate roles. Our experimental results demonstrate the effectiveness of our approaches.
- Agrawal, R. and Srikant, R. 1994. Fast algorithms for mining association rules. In Proceedings of the VLDB Conference. 487--499. Google ScholarDigital Library
- Buecker, A., Palacios, J. C., Davis, B., Hastings, T., and Yip, I. 2005. Identity management design guide with IBM Tivoli Identity Manager. IBM. Google ScholarDigital Library
- Colantonio, A., Pietro, R. D., and Ocello, A. 2008a. A cost-driven approach to role engineering. In Proceedings of the ACM Symposium on Applied Computing (SAC’08). 2129--2136. Google ScholarDigital Library
- Colantonio, A., Pietro, R. D., and Ocello, A. 2008b. Leveraging lattices to improve role mining. In Proceedings of the IFIP International Conference on Information Security (SEC’08). 333--347.Google Scholar
- Coyne, E. J. 1995. Role engineering. In Proceedings of the ACM Workshop on Role-Based Access Control (RBAC’95). Google ScholarDigital Library
- Dawande, M., Keskinocak, P., Swaminathan, J. M., and Tayur, S. 2001. On bipartite and multipartite clique problems. J. Algor. 41, 2, 388--403. Google ScholarDigital Library
- Ene, A. 2007. Biclique covers of bipartite graphs: The minimum biclique cover and edge concentration problems. Tech. rep., Princeton University.Google Scholar
- Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., and Tarjan, R. E. 2008. Fast exact and heuristic methods for role minimization problems. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’08). ACM Press, New York, 1--10. Google ScholarDigital Library
- Frank, M., Basin, D., and Buhmann, J. M. 2008. A class of probabilistic models for role engineering. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’08). Google ScholarDigital Library
- Gallaher, M. P., O’Connor, A. C., and Kropp, B. 2002. The economic impact of role-based access control. Planning rep. 02-1, National Institute of Standards and Technology.Google Scholar
- Ganter, B. and Wille, R. 1998. Formal Concept Analysis: Mathematical Foundations. Springer. Google ScholarDigital Library
- Krajca, P., Outrata, J., and Vychodil, V. 2008. Parallel recursive algorithm for FCA. In Concept Lattices and Their Applications.Google Scholar
- Kuhlmann, M., Shohat, D., and Schimpf, G. 2003. Role mining - Revealing business roles for security administration using data mining technology. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’03). ACM Press, New York, 179--186. Google ScholarDigital Library
- Lin, X. 2000. One the computational complexity of edge concentration. Discr. Appl. Math. 101, 197--205. Google ScholarDigital Library
- Lindig, C. 2000. Fast concept analysis. Working with Conceptual Structures - Contributions to ICCS’00.Google Scholar
- Lindig, C. 2007. Mining patterns and violations using concept analysis. Tech. rep.,Universitat des Saarlandes, Saarbrucken, Germany.Google Scholar
- Lu, H., Vaidya, J., and Atluri, V. 2008. Optimal boolean matrix decomposition: Application to role engineering. In Proceedings of the International Conference on Data Engineering (ICDE’08). 297--306. Google ScholarDigital Library
- Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., and Lobo, J. 2008. Mining roles with semantic meanings. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’08). Google ScholarDigital Library
- Molloy, I., Li, N., Li, T., Mao, Z., Wang, Q., and Lobo, J. 2009. Evaluating role mining algorithms. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT’09). Google ScholarDigital Library
- Neumann, G. and Strembeck, M. 2002. A scenario-driven role engineering process for functional RBAC roles. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’02). 33--42. Google ScholarDigital Library
- Roeckle, H., Schimpf, G., and Weidinger, R. 2000. Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In Proceedings of the ACM Workshop on Role-Based Access Control (RBAC’00). ACM Press, New York, 103--110. Google ScholarDigital Library
- Schlegelmilch, J. and Steffens, U. 2005. Role mining with ORCA. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’05). ACM Press, New York, 168--176. Google ScholarDigital Library
- Shin, D., Ahn, G.-J., Cho, S., and Jin, S. 2003. On modeling system-centric information for role engineering. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’03). 169--178. Google ScholarDigital Library
- Stoller, S. D., Yang, P., Ramakrishnan, C. R., and Gofman, M. I. 2007. Efficient policy analysis for administrative role based access control. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’07). ACM Press, New York. Google ScholarDigital Library
- Stumme, G., Taouil, R., Bastide, Y., Pasquier, N., and Lakhal, L. 2002. Computing iceberg concept lattices with Titanic. Data Knowl. Engin. 42, 2, 189--222. Google ScholarDigital Library
- Vaidya, J., Atluri, V., and Guo, Q. 2007. The role mining problem: Finding a minimal descriptive set of roles. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’07). Google ScholarDigital Library
- Vaidya, J., Atluri, V., Guo, Q., and Adam, N. 2008. Migrating to optimal rbac with minimal perturbation. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’08). 11--20. Google ScholarDigital Library
- Vaidya, J., Atluri, V., and Warner, J. 2006. RoleMiner: Mining roles using subset enumeration. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’06). ACM, New York, 144--153. Google ScholarDigital Library
- Zhang, D., Ramamohanarao, K., and Ebringer, T. 2007. Role engineering using graph optimisation. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’07). 139--144. Google ScholarDigital Library
Index Terms
- Mining Roles with Multiple Objectives
Recommendations
Mining roles with semantic meanings
SACMAT '08: Proceedings of the 13th ACM symposium on Access control models and technologiesWith the growing adoption of role-based access control (RBAC) in commercial security and identity management products, how to facilitate the process of migrating a non-RBAC system to an RBAC system has become a problem with significant business impact. ...
The role mining problem: finding a minimal descriptive set of roles
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologiesDevising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role based access control. A key problem related to this is the notion of goodness/interestingness -- when is a role good/...
Mining RBAC roles under cardinality constraint
ICISS'10: Proceedings of the 6th international conference on Information systems securityRole Based Access Control (RBAC) is an effective way of managing permissions assigned to a large number of users in an enterprise. In order to deploy RBAC, a complete and correct set of roles needs to be identified from the existing user permission ...
Comments