More Web Proxy on the site http://driver.im/

research-article

Migrating to optimal RBAC with minimal perturbation

Authors:

Jaideep Vaidya,

Vijayalakshmi Atluri,

Nabil AdamAuthors Info & Claims

SACMAT '08: Proceedings of the 13th ACM symposium on Access control models and technologies

Pages 11 - 20

https://doi.org/10.1145/1377836.1377839

Published: 11 June 2008 Publication History

Abstract

Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role based access control. A key problem related to this is the notion of goodness - when is a set of roles good? Recently, the role mining problem (RMP) has been defined as the problem of discovering an optimal set of roles from existing user permissions. Several different objectives for optimality have been proposed. However, one problem with these definitions is that often organizations already have a deployed set of roles and wish to optimize this set. Even if an optimal set of roles is discovered, if this is widely different, it is impossible to simply throw out the deployed roles and start using the new ones as this may disrupt organizational processes and separation of duty constraints that are defined on roles. Essentially, what is missing is taking role migration cost into account when defining optimality, which would allow us to come up with the best suited set of roles.

In this paper, we define a fundamentally different Role Mining Problem that takes the problem of deployed roles into account. We define the Minimal Perturbation RMP as the problem of discovering an optimal set of roles from existing user permissions that are similar to the currently deployed roles. In order to do this, we discuss the concept of similarity of roles and propose suitable definitions. Solutions also need to be parameterized to set relative weight of similarity and minimality to find the optimal set. We propose a heuristic solution based on the previously developed FastMiner algorithm that meets these requirements. We demonstrate the effectiveness of the algorithm through our experimental results.

References

[1]

K. Brooks. Migrating to role-based access control. In ACM Workshop on Role-Based Access Control, pages 71--81, 1999.

Digital Library

[2]

E.J.Coyne. Role-engineering. In 1st ACM Workshop on Role-Based Access Control, 1995.

Digital Library

[3]

P. Epstein and R. Sandhu. Engineering of role/permission assignment. In 17th Annual Computer Security Application Conference, December 2001.

Digital Library

[4]

E. B. Fernandez and J. C. Hawkins. Determining role rights from use cases. In ACM Workshop on Role-Based Access Control, pages 121--125, 1997.

Digital Library

[5]

D. Ferraiolo, R. Sandhu, S. Gavrila, D. Kuhn, and R. Chandramouli. Proposed NIST Standard for Role-Based Access Control. TISSEC, 2001.

Digital Library

[6]

M. P. Gallagher, A. O'Connor, and B. Kropp. The economic impact of role-based access control. Planning report 02-1, National Institute of Standards and Technology, March 2002.

[7]

A. Kern, M. Kuhlmann, A. Schaad, and J. Moffett. Observations on the role life-cycle in the context of enterprise security management. In 7th ACM Symposium on Access Control Models and Technologies, June 2002.

Digital Library

[8]

M. Kuhlmann, D. Shohat, and G. Schimpf. Role mining - revealing business roles for security administration using data mining technology. In Symposium on Access Control Models and Technologies (SACMAT). ACM, June 2003.

Digital Library

[9]

H. Lu, J. Vaidya, and V. Atluri. Optimal boolean matrix decomposition: Application to role engineering. In IEEE International Conference on Data Engineering, to appear, April 2008.

Digital Library

[10]

G. Neumann and M. Strembeck. A scenario-driven role engineering process for functional rbac roles. In 7th ACM Symposium on Access Control Models and Technologies, June 2002.

Digital Library

[11]

H. Roeckle, G. Schimpf, and R. Weidinger. Process-oriented approach for role-finding to implement role-based security administraiton in a large industrial organization. In ACM, editor, RBAC, 2000.

Digital Library

[12]

R. S. Sandhu et al. Role-based Access Control Models. IEEE Computer, pages 38--47, February 1996.

Digital Library

[13]

A. Schaad, J. Moffett, and J. Jacob. The role-based access control system of a european bank: A case study and discussion. In Proceedings of ACM Symposium on Access Control Models and Technologies, pages 3--9, May 2001.

Digital Library

[14]

J. Schlegelmilch and U. Steffens. Role mining with orca. In Symposium on Access Control Models and Technologies (SACMAT). ACM, June 2005.

Digital Library

[15]

B. Shafiq, J. B. Joshi, E. Bertino, and A. Ghafoor. Secure interoperation in a multidomain environment employing rbac policies. IEEE Transactions on Knowledge and Data Engineering, 17(11):1557--1577, 2005.

Digital Library

[16]

D. Shin, G.-J. Ahn, S. Cho, and S. Jin. On modeling system-centric information for roleengineering. In 8th ACM Symposium on Access Control Models and Technologies, June 2003.

Digital Library

[17]

D. Thomsen, D. O'Brien, and J. Bogle. Role based access control framework for network enterprises. In 14th Annual Computer Security Application Conference, pages 50--58, December 1998.

Digital Library

[18]

J. Vaidya, V. Atluri, and Q. Guo. The role mining problem: Finding a minimal descriptive set of roles. In The Twelth ACM Symposium on Access Control Models and Technologies, pages 175--184, Sophia Antipolis, France, June 20-22 2007.

Digital Library

[19]

J. Vaidya, V. Atluri, and J. Warner. Roleminer: mining roles using subset enumeration. In CCS '06: Proceedings of the 13th ACM conference on Computer and communications security, pages 144--153, 2006.

Digital Library

Cited By

Liu YLi YLin SArtho CRyu SSmaragdakis Y(2022)Finding permission bugs in smart contracts with role miningProceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534372(716-727)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534372
Kern SBaumer TGroll SFuchs LPernul G(2022)Optimization of Access Control PoliciesJournal of Information Security and Applications10.1016/j.jisa.2022.10330170:COnline publication date: 1-Nov-2022
https://dl.acm.org/doi/10.1016/j.jisa.2022.103301
Trnecka MTrneckova M(2020)An Incremental Algorithm for the Role Mining ProblemComputers & Security10.1016/j.cose.2020.101830(101830)Online publication date: Apr-2020
https://doi.org/10.1016/j.cose.2020.101830
Show More Cited By

Index Terms

Migrating to optimal RBAC with minimal perturbation
1. Information systems
  1. Information systems applications
    1. Data mining
2. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

Mining roles with semantic meanings
SACMAT '08: Proceedings of the 13th ACM symposium on Access control models and technologies

With the growing adoption of role-based access control (RBAC) in commercial security and identity management products, how to facilitate the process of migrating a non-RBAC system to an RBAC system has become a problem with significant business impact. ...
RoleMiner: mining roles using subset enumeration
CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

Role engineering, the task of defining roles and associating permissions to them, is essential to realize the full benefits of the role-based access control paradigm. Essentially, there are two basic approaches to accomplish this: the top-down and the ...
Mining RBAC roles under cardinality constraint
ICISS'10: Proceedings of the 6th international conference on Information systems security

Role Based Access Control (RBAC) is an effective way of managing permissions assigned to a large number of users in an enterprise. In order to deploy RBAC, a complete and correct set of roles needs to be identified from the existing user permission ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '08: Proceedings of the 13th ACM symposium on Access control models and technologies

June 2008

214 pages

ISBN:9781605581293

DOI:10.1145/1377836

General Chair:
Indrakshi Ray
Colorado State University, USA
,
Program Chair:
Ninghui Li
Purdue University, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT08

Sponsor:

SACMAT08: 13th ACM Symposium on Access Control Models and Technologies

June 11 - 13, 2008

CO, Estes Park, USA

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

55
Total Citations
View Citations
495
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Liu YLi YLin SArtho CRyu SSmaragdakis Y(2022)Finding permission bugs in smart contracts with role miningProceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534372(716-727)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534372
Kern SBaumer TGroll SFuchs LPernul G(2022)Optimization of Access Control PoliciesJournal of Information Security and Applications10.1016/j.jisa.2022.10330170:COnline publication date: 1-Nov-2022
https://dl.acm.org/doi/10.1016/j.jisa.2022.103301
Trnecka MTrneckova M(2020)An Incremental Algorithm for the Role Mining ProblemComputers & Security10.1016/j.cose.2020.101830(101830)Online publication date: Apr-2020
https://doi.org/10.1016/j.cose.2020.101830
Benedetti MMori M(2019)On the use of Max-SAT and PDDL in RBAC maintenanceCybersecurity10.1186/s42400-019-0036-92:1Online publication date: 1-Jul-2019
https://doi.org/10.1186/s42400-019-0036-9
Das SSural SVaidya JAtluri V(2019)Policy Adaptation in Hierarchical Attribute-based Access Control SystemsACM Transactions on Internet Technology10.1145/332323319:3(1-24)Online publication date: 17-Aug-2019
https://dl.acm.org/doi/10.1145/3323233
Narouei MTakabi H(2019)A Nature-Inspired Framework for Optimal Mining of Attribute-Based Access Control PoliciesSecurity and Privacy in Communication Networks10.1007/978-3-030-37231-6_29(489-506)Online publication date: 11-Dec-2019
https://doi.org/10.1007/978-3-030-37231-6_29
Stoller SBui T(2018)Mining hierarchical temporal roles with multiple metricsJournal of Computer Security10.3233/JCS-1798926:1(121-142)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.3233/JCS-17989
Benedetti MMori MBertino ELin DLobo J(2018)Parametric RBAC Maintenance via Max-SATProceedings of the 23nd ACM on Symposium on Access Control Models and Technologies10.1145/3205977.3205987(15-25)Online publication date: 7-Jun-2018
https://dl.acm.org/doi/10.1145/3205977.3205987
Pan NSun LHe LZhu Z(2018)An Approach for Hierarchical RBAC Reconfiguration With Minimal PerturbationIEEE Access10.1109/ACCESS.2017.27828386(40389-40399)Online publication date: 2018
https://doi.org/10.1109/ACCESS.2017.2782838
Bartel JDewan P(2018)Towards Evolutionary Named Group RecommendationsComputer Supported Cooperative Work10.1007/s10606-018-9321-527:3-6(983-1018)Online publication date: 1-Dec-2018
https://dl.acm.org/doi/10.1007/s10606-018-9321-5
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents