research-article

Role mining under User-Distribution cardinality constraint

Authors:

Stelvio CimatoAuthors Info & Claims

Volume 78, Issue C

https://doi.org/10.1016/j.jisa.2023.103611

Published: 01 November 2023 Publication History

Abstract

Role-based access control (RBAC) defines the methods complex organizations use to assign their users permissions for accessing restricted resources. RBAC assigns users to roles, where roles determine the resources each user can access. The definition of roles, especially when there is a large number of users and many resources to handle, can be a very difficult and time consuming task. The class of tools and methodologies to elicit roles starting from existing user-permission assignments are referred to as role mining. Sometimes, to let the RBAC model be directly deployable in organizations, role mining can also take into account various constraints, like cardinality and separation of duty. Typically, these constraints are enforced to ease roles’ management and their use is justified as role administration becomes convenient. In this paper, we focus on the User-Distribution cardinality constraint which places a restriction the number of users that can be assigned to a given role. In this scenario, we present a simple heuristic that improves over the state-of-the-art. Furthermore, to address a more realistic situation, we provide the User-Distribution model with the additional constraint that avoids the generation of roles sharing identical set of permissions. Similarly, within this context, we describe a heuristic enabling the computation of a solution in the new model. Additionally, we assess both heuristics’ performances using real-world datasets.

References

[1]

Sandhu R.S., Coyne E.J., Feinstein H.L., Youman C.E., Role-based access control models, Computer 29 (2) (1996) 38–47,.

Digital Library

[2]

Ferraiolo D.F., Sandhu R.S., Gavrila S.I., Kuhn D.R., Chandramouli R., Proposed NIST standard for role-based access control, ACM Trans Inf Syst Secur 4 (3) (2001) 224–274.

Digital Library

[3]

Roeckle H., Schimpf G., Weidinger R., Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization, in: Rebensburg K., Youman C.E., Atluri V. (Eds.), Fifth ACM workshop on role-based access control, ACM, 2000, pp. 103–110,.

Digital Library

[4]

Strembeck M., Scenario-driven role engineering, IEEE Secur Priv 8 (1) (2010) 28–35,.

Digital Library

[5]

Neumann G., Strembeck M., A scenario-driven role engineering process for functional RBAC roles, in: Sandhu R.S., Bertino E. (Eds.), 7th ACM symposium on access control models and technologies, SACMAT 2002, ACM, 2002, pp. 33–42,.

Digital Library

[6]

Vaidya J., Atluri V., Guo Q., The role mining problem: Finding a minimal descriptive set of roles, in: 12th ACM symposium on access control models and technologies, SACMAT 2007, Proceedings, ACM, Sophia Antipolis, France, 2007, pp. 175–184.

[7]

Molloy I., Chen H., Li T., Wang Q., Li N., Bertino E., et al., Mining roles with semantic meanings, in: 13th ACM symposium on access control models and technologies, SACMAT, 2008, Proceedings, ACM, Estes Park, CO, USA, 2008, pp. 21–30.

[8]

Schlegelmilch J., Steffens U., Role mining with ORCA, in: 10th ACM symposium on access control models and technologies, SACMAT 2005, Proceedings, ACM, Stockholm, Sweden, 2005, pp. 168–176.

[9]

Ene A., Horne W.G., Milosavljevic N., Rao P., Schreiber R., Tarjan R.E., Fast exact and heuristic methods for role minimization problems, in: 13th ACM symposium on access control models and technologies, SACMAT 2008, proceedings, ACM, Estes Park, CO, USA, 2008, pp. 1–10.

[10]

Chen L., Crampton J., Set covering problems in role-based access control, in: Computer security - ESORICS 2009, 14th European symposium on research in computer security, 2009. Proceedings, in: Lecture notes in computer science, vol. 5789, Springer, Saint-Malo, France, 2009, pp. 689–704.

[11]

Vaidya J., Atluri V., Guo Q., The role mining problem: A formal perspective, ACM Trans Inf Syst Secur 13 (3) (2010).

Digital Library

[12]

Harika P., Nagajyothi M., John J.C., Sural S., Vaidya J., Atluri V., Meeting cardinality constraints in role mining, IEEE Trans Dependable Sec Comput 12 (1) (2015) 71–84,.

Digital Library

[13]

Hingankar M., Sural S., Towards role mining with restricted user-role assignment, in: Wireless communication, vehicular technology, information theory and aerospace electronic systems technology (Wireless VITAE), 2011 2nd international conference on, IEEE, Chennai, India, 2011, pp. 1–5.

[14]

Blundo C., Cimato S., Siniscalchi L., Managing constraints in role based access control, IEEE Access 8 (2020) 140497–140511,.

[15]

Blundo C., Cimato S., Additional material for role mining under a user-distribution cardinality constraint, 2023, https://figshare.com/s/526f4dbe55536db8e6c7, figshare, URL https://figshare.com/s/526f4dbe55536db8e6c7.

[16]

Mitra B., Sural S., Vaidya J., Atluri V., A survey of role mining, ACM Comput Surv 48 (4) (2016) 50:1–50:37,. URL http://doi.acm.org/10.1145/2871148.

Digital Library

[17]

Frank M., Buhmann J.M., Basin D.A., On the definition of role mining, in: 15th ACM symposium on access control models and technologies, SACMAT 2010, proceedings, ACM, Pittsburgh, Pennsylvania, USA, 2010, pp. 35–44.

[18]

Frank M., Streich A.P., Basin D.A., Buhmann J.M., A probabilistic approach to hybrid role mining, in: Al-Shaer E., Jha S., Keromytis A.D. (Eds.), Proceedings of the 2009 ACM conference on computer and communications security, ACM, 2009, pp. 101–111,.

Digital Library

[19]

Colantonio A., Pietro R.D., Ocello A., A cost-driven approach to role engineering, in: Wainwright R.L., Haddad H. (Eds.), Proceedings of the 2008 ACM symposium on applied computing, ACM, 2008, pp. 2129–2136,.

Digital Library

[20]

Fuchs L., Pernul G., Hydro - hybrid development of roles, in: Sekar R., Pujari A.K. (Eds.), Information systems security, 4th international conference, in: Lecture notes in computer science, vol. 5352, Springer, 2008, pp. 287–302,.

Digital Library

[21]

Fuchs L., Meier S., The role mining process model - underlining the need for a comprehensive research perspective, in: Sixth international conference on availability, reliability and security, IEEE Computer Society, 2011, pp. 35–42,.

Digital Library

[22]

Benedetti M., Mori M., On the use of Max-SAT and PDDL in RBAC maintenance, Cybersecurity 2 (1) (2019) 1–25,. URL https://link.springer.com/article/10.1186/s42400-019-0036-9.

[23]

Misra S., Vaish A., Reputation-based role assignment for role-based access control in wireless sensor networks, Comput Commun 34 (3) (2011) 281–294,. URL https://www.sciencedirect.com/science/article/pii/S0140366410000885,Special Issue on Information and Future Communication Security.

Digital Library

[24]

Rao K.R., Nayak A., Ray I.G., Rahulamathavan Y., Rajarajan M., Role recommender-RBAC: Optimizing user-role assignments in RBAC, Comput Commun 166 (2021) 140–153,. URL https://www.sciencedirect.com/science/article/pii/S0140366420320120.

[25]

John J.C., Sural S., Atluri V., Vaidya J., Role mining under role-usage cardinality constraint, in: Information security and privacy research - 27th IFIP TC 11 information security and privacy conference, SEC 2012. Proceedings, in: IFIP advances in information and communication technology, vol. 376, Springer, Heraklion, Crete, Greece, 2012, pp. 150–161.

[26]

Lu H., Hong Y., Yang Y., Duan L., Badar N., Towards user-oriented RBAC model, in: Data and applications security and privacy XXVII - 27th annual IFIP WG 11.3 conference, DBSec 2013. Proceedings, in: Lecture notes in computer science, vol. 7964, Springer, Newark, NJ, USA, 2013, pp. 81–96.

[27]

Lu H., Hong Y., Yang Y., Duan L., Badar N., Towards user-oriented RBAC model, J Comput Secur 23 (1) (2015) 107–129,.

[28]

Kumar R., Sural S., Gupta A., Mining RBAC roles under cardinality constraint, in: Information systems security - 6th international conference, ICISS 2010. Proceedings, in: Lecture notes in computer science, vol. 6503, Springer, Gandhinagar, India, December, 2010, pp. 171–185.

[29]

Blundo C., Cimato S., Constrained role mining, in: Security and trust management - 8th international workshop, STM 2012, revised selected papers, in: Lecture notes in computer science, vol. 7783, Springer, Pisa, Italy, 2012, pp. 289–304.

[30]

Blundo C., Cimato S., Siniscalchi L., PRUCC-RM: Permission-role-usage cardinality constrained role mining, in: 41st IEEE annual computer software and applications conference, vol. 2, COMPSAC 2017, IEEE Computer Society, Turin, Italy, 2017, pp. 149–154.

[31]

Li R., Li H., Gu X., Li Y., Ye W., Ma X., Role mining based on cardinality constraints, Concurr Comput: Pract Exper 27 (12) (2015) 3126–3144,.

Digital Library

[32]

Ma X., Li R., Wang H., Li H., Role mining based on permission cardinality constraint and user cardinality constraint, Secur Commun Netw 8 (13) (2015) 2317–2328,.

Digital Library

[33]

Blundo C., Cimato S., Siniscalchi L., PostProcessing in constrained role mining, in: Intelligent data engineering and automated learning - IDEAL 2018 - 19th international conference, Madrid, Spain, November 21-23, 2018, proceedings, part I, 2018, pp. 204–214,.

Digital Library

[34]

Blundo C., Cimato S., Siniscalchi L., Role mining heuristics for permission-role-usage cardinality constraints, Comput J 65 (6) (2022) 1386–1411,.

[35]

Sandhu R.S., Ferraiolo D.F., Kuhn D.R., The NIST model for role-based access control: Towards a unified standard, in: Fifth ACM workshop on role-based access control, ACM, Berlin, Germany, 2000, pp. 47–63.

[36]

Vaidya J., Atluri V., Warner J., RoleMiner: Mining roles using subset enumeration, in: Proceedings of the 13th ACM conference on computer and communications security, ACM, Alexandria, VA, USA, 2006, pp. 144–153.

[37]

Lu H., Vaidya J., Atluri V., Optimal boolean matrix decomposition: Application to role engineering, in: Proceedings of the 24th international conference on data engineering, IEEE Computer Society, Cancún, Mexico, 2008, pp. 297–306.

[38]

Blundo C., Cimato S., A simple role mining algorithm, in: Proceedings of the 2010 ACM symposium on applied computing, ACM, New York, Sierre, Switzerland, 2010, pp. 1958–1962.

[39]

Molloy I., Chen H., Li T., Wang Q., Li N., Bertino E., et al., Mining roles with multiple objectives, ACM Trans Inf Syst Secur 13 (4) (2010) 36:1–36:35,. URL http://doi.acm.org/10.1145/1880022.1880030.

Digital Library

[40]

Molloy I., Li N., Li T., Mao Z., Wang Q., Lobo J., Evaluating role mining algorithms, in: 14th ACM symposium on access control models and technologies, SACMAT 2009, Proceedings, ACM, Stresa, Italy, 2009, pp. 95–104.

[41]

Blundo C., Cimato S., Siniscalchi L., Heuristics for constrained role mining in the post-processing framework, J Ambient Intell Humaniz Comput (2022) 1–13,.

[42]

Dong L., Wu K., Tang G., A data-centric approach to quality estimation of role mining results, IEEE Trans Inf Forensics Secur 11 (12) (2016) 2678–2692,.

[43]

Saenko I., Kotenko I.V., Genetic algorithms for role mining problem, in: Proceedings of the 19th international euromicro conference on parallel, distributed and network-based processing, IEEE Computer Society, Ayia Napa, Cyprus, 2011, pp. 646–650.

[44]

Stoller S.D., Bui T., Mining hierarchical temporal roles with multiple metrics, J Comput Secur 26 (1) (2018) 121–142.

Digital Library

[45]

Mitra B., Sural S., Atluri V., Vaidya J., The generalized temporal role mining problem, J Comput Secur 23 (1) (2015) 31–58.

Index Terms

Role mining under User-Distribution cardinality constraint

Index terms have been assigned to the content through auto-classification.

Recommendations

PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
An effective role administration model using organization structure

Role-based access control (RBAC) is a well-accepted model for access control in an enterprise environment. When we apply RBAC model to large enterprises, effective role administration is a major issue. ARBAC97 is a well-known solution for decentralized ...
A fine-grained, controllable, user-to-user delegation method in RBAC
SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologies

This paper addresses the issues surrounding user-to-user delegation in RBAC. We show how delegations can be incorporated into the RBAC model in a simple and straightforward manner. A special feature of the model is that it allows fine-grained control ...

Comments

Information & Contributors

Information

Published In

cover image Journal of Information Security and Applications

Journal of Information Security and Applications Volume 78, Issue C

Nov 2023

462 pages

ISSN:2214-2126

Issue’s Table of Contents

Elsevier Ltd.

Publisher

Elsevier Science Inc.

United States

Publication History

Published: 01 November 2023

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 04 Jan 2025

Other Metrics

View Author Metrics

Citations

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents