research-article

Mining Roles with Multiple Objectives

Authors:

Jorge LoboAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 13, Issue 4

Article No.: 36, Pages 1 - 35

https://doi.org/10.1145/1880022.1880030

Published: 01 December 2010 Publication History

Abstract

With the growing adoption of Role-Based Access Control (RBAC) in commercial security and identity management products, how to facilitate the process of migrating a non-RBAC system to an RBAC system has become a problem with significant business impact. Researchers have proposed to use data mining techniques to discover roles to complement the costly top-down approaches for RBAC system construction. An important problem is how to construct RBAC systems with low complexity. In this article, we define the notion of weighted structural complexity measure and propose a role mining algorithm that mines RBAC systems with low structural complexity. Another key problem that has not been adequately addressed by existing role mining approaches is how to discover roles with semantic meanings. In this article, we study the problem in two primary settings with different information availability. When the only information is user-permission relation, we propose to discover roles whose semantic meaning is based on formal concept lattices. We argue that the theory of formal concept analysis provides a solid theoretical foundation for mining roles from a user-permission relation. When user-attribute information is also available, we propose to create roles that can be explained by expressions of user-attributes. Since an expression of attributes describes a real-world concept, the corresponding role represents a real-world concept as well. Furthermore, the algorithms we propose balance the semantic guarantee of roles with system complexity. Finally, we indicate how to create a hybrid approach combining top-down candidate roles. Our experimental results demonstrate the effectiveness of our approaches.

References

[1]

Agrawal, R. and Srikant, R. 1994. Fast algorithms for mining association rules. In Proceedings of the VLDB Conference. 487--499.

Digital Library

[2]

Buecker, A., Palacios, J. C., Davis, B., Hastings, T., and Yip, I. 2005. Identity management design guide with IBM Tivoli Identity Manager. IBM.

Digital Library

[3]

Colantonio, A., Pietro, R. D., and Ocello, A. 2008a. A cost-driven approach to role engineering. In Proceedings of the ACM Symposium on Applied Computing (SAC’08). 2129--2136.

Digital Library

[4]

Colantonio, A., Pietro, R. D., and Ocello, A. 2008b. Leveraging lattices to improve role mining. In Proceedings of the IFIP International Conference on Information Security (SEC’08). 333--347.

[5]

Coyne, E. J. 1995. Role engineering. In Proceedings of the ACM Workshop on Role-Based Access Control (RBAC’95).

Digital Library

[6]

Dawande, M., Keskinocak, P., Swaminathan, J. M., and Tayur, S. 2001. On bipartite and multipartite clique problems. J. Algor. 41, 2, 388--403.

Digital Library

[7]

Ene, A. 2007. Biclique covers of bipartite graphs: The minimum biclique cover and edge concentration problems. Tech. rep., Princeton University.

[8]

Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., and Tarjan, R. E. 2008. Fast exact and heuristic methods for role minimization problems. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’08). ACM Press, New York, 1--10.

Digital Library

[9]

Frank, M., Basin, D., and Buhmann, J. M. 2008. A class of probabilistic models for role engineering. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’08).

Digital Library

[10]

Gallaher, M. P., O’Connor, A. C., and Kropp, B. 2002. The economic impact of role-based access control. Planning rep. 02-1, National Institute of Standards and Technology.

[11]

Ganter, B. and Wille, R. 1998. Formal Concept Analysis: Mathematical Foundations. Springer.

Digital Library

[12]

Krajca, P., Outrata, J., and Vychodil, V. 2008. Parallel recursive algorithm for FCA. In Concept Lattices and Their Applications.

[13]

Kuhlmann, M., Shohat, D., and Schimpf, G. 2003. Role mining - Revealing business roles for security administration using data mining technology. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’03). ACM Press, New York, 179--186.

Digital Library

[14]

Lin, X. 2000. One the computational complexity of edge concentration. Discr. Appl. Math. 101, 197--205.

Digital Library

[15]

Lindig, C. 2000. Fast concept analysis. Working with Conceptual Structures - Contributions to ICCS’00.

[16]

Lindig, C. 2007. Mining patterns and violations using concept analysis. Tech. rep.,Universitat des Saarlandes, Saarbrucken, Germany.

[17]

Lu, H., Vaidya, J., and Atluri, V. 2008. Optimal boolean matrix decomposition: Application to role engineering. In Proceedings of the International Conference on Data Engineering (ICDE’08). 297--306.

Digital Library

[18]

Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., and Lobo, J. 2008. Mining roles with semantic meanings. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’08).

Digital Library

[19]

Molloy, I., Li, N., Li, T., Mao, Z., Wang, Q., and Lobo, J. 2009. Evaluating role mining algorithms. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT’09).

Digital Library

[20]

Neumann, G. and Strembeck, M. 2002. A scenario-driven role engineering process for functional RBAC roles. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’02). 33--42.

Digital Library

[21]

Roeckle, H., Schimpf, G., and Weidinger, R. 2000. Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In Proceedings of the ACM Workshop on Role-Based Access Control (RBAC’00). ACM Press, New York, 103--110.

Digital Library

[22]

Schlegelmilch, J. and Steffens, U. 2005. Role mining with ORCA. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’05). ACM Press, New York, 168--176.

Digital Library

[23]

Shin, D., Ahn, G.-J., Cho, S., and Jin, S. 2003. On modeling system-centric information for role engineering. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’03). 169--178.

Digital Library

[24]

Stoller, S. D., Yang, P., Ramakrishnan, C. R., and Gofman, M. I. 2007. Efficient policy analysis for administrative role based access control. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’07). ACM Press, New York.

Digital Library

[25]

Stumme, G., Taouil, R., Bastide, Y., Pasquier, N., and Lakhal, L. 2002. Computing iceberg concept lattices with Titanic. Data Knowl. Engin. 42, 2, 189--222.

Digital Library

[26]

Vaidya, J., Atluri, V., and Guo, Q. 2007. The role mining problem: Finding a minimal descriptive set of roles. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’07).

Digital Library

[27]

Vaidya, J., Atluri, V., Guo, Q., and Adam, N. 2008. Migrating to optimal rbac with minimal perturbation. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’08). 11--20.

Digital Library

[28]

Vaidya, J., Atluri, V., and Warner, J. 2006. RoleMiner: Mining roles using subset enumeration. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’06). ACM, New York, 144--153.

Digital Library

[29]

Zhang, D., Ramamohanarao, K., and Ebringer, T. 2007. Role engineering using graph optimisation. In Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT’07). 139--144.

Digital Library

Cited By

Zhu FYang CZhu LZuo HGu J(2024)MFC-RMA (Matrix Factorization and Constraints- Role Mining Algorithm): An Optimized Role Mining AlgorithmSymmetry10.3390/sym1608100816:8(1008)Online publication date: 7-Aug-2024
https://doi.org/10.3390/sym16081008
Perez-Haro ADiaz-Perez A(2024)ABAC Policy Mining through Affiliation Networks and Biclique AnalysisInformation10.3390/info1501004515:1(45)Online publication date: 12-Jan-2024
https://doi.org/10.3390/info15010045
Bamberger AFernández MGupta MAbdelsalam MPritom MAwaysheh F(2024)Automated Generation and Update of Structured ABAC PoliciesProceedings of the 2024 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems10.1145/3643650.3658608(31-40)Online publication date: 21-Jun-2024
https://dl.acm.org/doi/10.1145/3643650.3658608
Show More Cited By

Index Terms

Mining Roles with Multiple Objectives
1. Information systems
  1. Information systems applications
    1. Data mining
2. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

Mining roles with semantic meanings
SACMAT '08: Proceedings of the 13th ACM symposium on Access control models and technologies

With the growing adoption of role-based access control (RBAC) in commercial security and identity management products, how to facilitate the process of migrating a non-RBAC system to an RBAC system has become a problem with significant business impact. ...
The role mining problem: finding a minimal descriptive set of roles
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role based access control. A key problem related to this is the notion of goodness/interestingness -- when is a role good/...
RoleMiner: mining roles using subset enumeration
CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

Role engineering, the task of defining roles and associating permissions to them, is essential to realize the full benefits of the role-based access control paradigm. Essentially, there are two basic approaches to accomplish this: the top-down and the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 13, Issue 4

December 2010

412 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/1880022

Issue’s Table of Contents

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 December 2010

Accepted: 01 April 2010

Revised: 01 March 2010

Received: 01 December 2008

Published in TISSEC Volume 13, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

80
Total Citations
View Citations
917
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)4

Reflects downloads up to 04 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhu FYang CZhu LZuo HGu J(2024)MFC-RMA (Matrix Factorization and Constraints- Role Mining Algorithm): An Optimized Role Mining AlgorithmSymmetry10.3390/sym1608100816:8(1008)Online publication date: 7-Aug-2024
https://doi.org/10.3390/sym16081008
Perez-Haro ADiaz-Perez A(2024)ABAC Policy Mining through Affiliation Networks and Biclique AnalysisInformation10.3390/info1501004515:1(45)Online publication date: 12-Jan-2024
https://doi.org/10.3390/info15010045
Bamberger AFernández MGupta MAbdelsalam MPritom MAwaysheh F(2024)Automated Generation and Update of Structured ABAC PoliciesProceedings of the 2024 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems10.1145/3643650.3658608(31-40)Online publication date: 21-Jun-2024
https://dl.acm.org/doi/10.1145/3643650.3658608
Zhang RLiu GKang HWang QWan BLuo N(2024)Anonymity in Attribute-Based Access Control: Framework and MetricIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.326130921:1(463-475)Online publication date: Jan-2024
https://doi.org/10.1109/TDSC.2023.3261309
Shang SWang XLiu A(2024)ABAC policy mining method based on hierarchical clustering and relationship extractionComputers and Security10.1016/j.cose.2024.103717139:COnline publication date: 16-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103717
Anderer SScheuermann BMostaghim S(2024)Studies on Multi-objective Role Mining in ERP SystemsEvolutionary Computation in Combinatorial Optimization10.1007/978-3-031-57712-3_6(81-96)Online publication date: 2024
https://doi.org/10.1007/978-3-031-57712-3_6
Wang TWu Q(2023)Role Minimization Optimization Algorithm Based on Concept Lattice FactorMathematics10.3390/math1114304711:14(3047)Online publication date: 10-Jul-2023
https://doi.org/10.3390/math11143047
Lion GOlowoyo J(2023)Possible Sources of Trace Metals in Obese Females Living in Informal Settlements near Industrial Sites around Gauteng, South AfricaInternational Journal of Environmental Research and Public Health10.3390/ijerph2006513320:6(5133)Online publication date: 14-Mar-2023
https://doi.org/10.3390/ijerph20065133
Blundo CCimato S(2023)Role mining under User-Distribution cardinality constraintJournal of Information Security and Applications10.1016/j.jisa.2023.10361178:COnline publication date: 1-Nov-2023
https://dl.acm.org/doi/10.1016/j.jisa.2023.103611
Kang HLiu GWang QZhang QNiu JLuo N(2023)An improved minimal noise role mining algorithm based on role interpretabilityComputers and Security10.1016/j.cose.2023.103100127:COnline publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103100
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents