The Community for Technology Leaders
RSS Icon
Issue No.03 - July-September (2010 vol.7)
pp: 300-314
Jaideep Vaidya , Rutgers University, Newark
Vijayalakshmi Atluri , Rutgers University, Newark
Janice Warner , Georgian Court University, Lakewood
Qi Guo , Rutgers University, Newark
Today, role-based access control (RBAC) has become a well-accepted paradigm for implementing access control because of its convenience and ease of administration. However, in order to realize the full benefits of the RBAC paradigm, one must first define the roles accurately. This task of defining roles and associating permissions with them, also known as role engineering, is typically accomplished either in a top-down or in a bottom-up manner. Under the top-down approach, a careful analysis of the business processes is done to first define job functions and then to specify appropriate roles from them. While this approach can help in defining roles more accurately, it is tedious and time consuming since it requires that the semantics of the business processes be well understood. Moreover, it ignores existing permissions within an organization and does not utilize them. On the other hand, under the bottom-up approach, existing permissions are used to derive roles from them. As a result, it may help automate the process of role definition. In this paper, we present an unsupervised approach, called RoleMiner, for mining roles from existing user-permission assignments. Since a role, when semantics are unavailable, is nothing but a set of permissions, the task of role mining is essentially that of clustering users having the same (or similar) permissions. However, unlike the traditional applications of data mining that ideally require identification of nonoverlapping clusters, roles will have overlapping permissions and thus permission sets that define roles should be allowed to overlap. It is this distinction from traditional clustering that makes the problem of role mining nontrivial. Our experiments with real and simulated data sets indicate that our role mining process is quite accurate and efficient. Since our role mining approach is based on subset enumeration, it is fairly robust to reasonable levels of noise.
Role-based access control, role engineering, data mining.
Jaideep Vaidya, Vijayalakshmi Atluri, Janice Warner, Qi Guo, "Role Engineering via Prioritized Subset Enumeration", IEEE Transactions on Dependable and Secure Computing, vol.7, no. 3, pp. 300-314, July-September 2010, doi:10.1109/TDSC.2008.61
[1] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, "Role-Based Access Control Models," IEEE Computer, vol. 29, no. 2, pp. 38-47, , Feb. 1996.
[2] D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, and R. Chandramouli, "Proposed NIST Standard for Role-Based Access Control," ACM Trans. Information and System Security, vol. 4, no. 3, pp. 224-274, 2001.
[3] M.P. Gallagher, A.C. O'Connor, and B. Kropp, The Economic Impact of Role-Based Access Control, Planning Report 02-1, Nat'l Inst. Standards and Tech nology, Mar. 2002.
[4] E.J. Coyne, "Role Engineering," Proc. First ACM Workshop Role-Based Access Control (RBAC '96), p. 4, 1996.
[5] H. Roeckle, "Role-Finding/Role-Engineering (Panel Session)," Proc. Fifth ACM Workshop Role-Based Access Control (RBAC '00), p. 68, 2000.
[6] A. Schaad, J. Moffett, and J. Jacob, "The Role-Based Access Control System of a European Bank: A Case Study and Discussion," Proc. Sixth ACM Symp. Access Control Models and Technologies (SACMAT '01), pp. 3-9, 2001.
[7] A. Kern, M. Kuhlmann, A. Schaad, and J. Moffett, "Observations on the Role Life-Cycle in the Context of Enterprise Security Management," Proc. Seventh ACM Symp. Access Control Models and Technologies (SACMAT '02), pp. 43-51, 2002.
[8] J. Vaidya, V. Atluri, and Q. Guo, "The Role Mining Problem: Finding a Minimal Descriptive Set of Roles," Proc. 12th ACM Symp. Access Control Models and Technologies (SACMAT '07), pp. 175-184, 2007.
[9] J. Schlegelmilch and U. Steffens, "Role Mining with ORCA," Proc. 10th ACM Symp. Access Control Models and Technologies (SACMAT '05), pp. 168-176, 2005.
[10] Graphviz: Graph Visualization Software, A. Research, http:/, 2008.
[11] E.B. Fernandez and J.C. Hawkins, "Determining Role Rights from Use Cases," Proc. Second ACM Workshop Role-Based Access Control (RBAC '97), pp. 121-125, 1997.
[12] K. Brooks, "Migrating to Role-Based Access Control," Proc. Fourth ACM Workshop Role-Based Access Control (RBAC '99), pp. 71-81, 1999.
[13] H. Roeckle, G. Schimpf, and R. Weidinger, "Process-Oriented Approach for Role-Finding to Implement Role-Based Security Administration in a Large Industrial Organization," Proc. Fifth ACM Workshop Role-Based Access Control (RBAC '00), pp. 103-110, 2000.
[14] D. Shin, G.-J. Ahn, S. Cho, and S. Jin, "On Modeling System-Centric Information for Role Engineering," Proc. Eighth ACM Symp. Access Control Models and Technologies (SACMAT '03), pp. 169-178, 2003.
[15] D. Thomsen, R. O'Brien, and J. Bogle, "Role-Based Access Control Framework for Network Enterprises," Proc. 14th Ann. Computer Security Applications Conf. (ACSAC '98), pp. 50-58, 1998.
[16] G. Neumann and M. Strembeck, "A Scenario-Driven Role Engineering Process for Functional RBAC Roles," Proc. Seventh ACM Symp. Access Control Models and Technologies (SACMAT '02), pp. 33-42, 2002.
[17] P. Epstein and R. Sandhu, "Engineering of Role/Permission Assignments," Proc. 17th Ann. Computer Security Applications Conf. (ACSAC '01), pp. 127-136, 2001.
[18] M. Kuhlmann, D. Shohat, and G. Schimpf, "Role Mining— Revealing Business Roles for Security Administration Using Data Mining Technology," Proc. Eighth ACM Symp. Access Control Models and Technologies (SACMAT '03), pp. 179-186, 2003.
5 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool