research-article

Minimizing Organizational User Requirement while Meeting Security Constraints

Authors:

Arun Kumar Majumdar,

Jaideep Vaidya,

Vijayalakshmi AtluriAuthors Info & Claims

ACM Transactions on Management Information Systems (TMIS), Volume 6, Issue 3

Article No.: 12, Pages 1 - 25

https://doi.org/10.1145/2811269

Published: 13 September 2015 Publication History

Abstract

Large systems are complex and typically need automatic configuration to be managed effectively. In any organization, numerous tasks have to be carried out by employees. However, due to security needs, it is not feasible to directly assign any existing task to the first available employee. In order to meet many additional security requirements, constraints such as separation of duty, cardinality and binding have to be taken into consideration. Meeting these requirements imposes extra burden on organizations, which, however, is unavoidable in order to ensure security. While a trivial way of ensuring security is to assign each user to a single task, business organizations would typically like to minimize their costs and keep staffing requirements to a minimum. To meet these contradictory goals, we define the problem of Cardinality Constrained-Mutually Exclusive Task Minimum User Problem (CMUP), which aims to find the minimum users that can carry out a set of tasks while satisfying the given security constraints. We show that the CMUP problem is equivalent to a constrained version of the weak chromatic number problem in hypergraphs, which is NP-hard. We, therefore, propose a greedy solution. Our experimental evaluation shows that the proposed algorithm is both efficient and effective.

References

[1]

E. Anand and R. Panneerselvam. 2015. Literature review of open shop scheduling problems. Intelligent Information Management 7, 01 (2015), 33.

[2]

D. Basin, S. J. Burri, and G. Karjoth. 2012. Optimal workflow-aware authorizations. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. 93--102.

Digital Library

[3]

D. E. Bell and L. J. Lapadula. 1976. Secure computer system: Unified exposition and multics interpretation. Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01731 (1976). Technical Report. http://csrc.nist.gov/publications/history/bell76.pdf.

[4]

C. Berge. 1989. Hypergraphs: Combinatorics of Finite Sets. North-Holland.

[5]

E. Bertino, E. Ferrari, and V. Atluri. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2, 1 (1999), 65--104.

Digital Library

[6]

D. D. Clark and D. R. Wilson. 1987. A comparison of commercial and military computer security policies. In Proceedings of the 1987 IEEE Symposium on Security and Privacy. 184--194.

[7]

J. Crampton. 2005. A reference monitor for workflow systems with constrained task execution. In Proceedings of the 10th Symposium on Access Control Models and Technologies. 38--47.

Digital Library

[8]

J. Crampton, G. Gutin, and A. Yeo. 2013. On the parameterized complexity and kernelization of the workflow satisfiability problem. ACM Transactions on Information and System Security 16, 1 (2013), 4:1--4:31.

Digital Library

[9]

D. de Werra, A. Hertz, D. Kobler, and N. V. R. Mahadev. 2000. Feasible edge colorings of trees with cardinality constraints. Discrete Mathematics 222, 13 (2000), 61--72.

Digital Library

[10]

A. Ene, W. Horney, N. Milosavljevic, P. Rao, R. Schreiber, and R. E. Tarjan. 2008. Fast exact and heuristic methods for role minimization problems. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT’08). 1--10.

Digital Library

[11]

M. Frank, J. M. Buhman, and D. Basin. 2013. Role mining with probabilistic models. ACM Transactions on Information and System Security 15, 4 (2013), 15:1--15:28.

Digital Library

[12]

L. Fuchs, G. Pernul, and R. Sandhu. 2011. Roles in information security--A survey and classification of the research area. Computers & Security 30, 8 (2011), 748--769.

Digital Library

[13]

P. Harika, M. Nagajyothi, J. C. John, S. Sural, J. Vaidya, and V. Atluri. 2015. Meeting cardinality constraints in role mining. IEEE Transactions on Dependable and Secure Computing 12, 1 (2015), 71--84.

Digital Library

[14]

M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. 1976. Protection in operating systems. Communications of the ACM 19, 8 (1976), 461--471.

Digital Library

[15]

D. R. Kuhn. 1997. Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. Proceedings of the Second ACM Workshop on Role-Based Access Control (1997), 23--30.

Digital Library

[16]

J. Y. T. Leung. 2004. Handbook of Scheduling: Algorithms, Models, and Performance Analysis. CRC Press.

Digital Library

[17]

N. Li, M. V. Tripunitara, and Z. Bizri. 2007. On mutually exclusive roles and separation-of-duty. ACM Transactions on Information and System Security 10, 2 (2007), 1--36.

Digital Library

[18]

H. Lu, J. Vaidya, V. Atluri, and Y. Hong. 2012. Constraint-aware role mining via extended boolean matrix decomposition. IEEE Transactions on Dependable and Secure Computing 9, 5 (2012), 655--669.

Digital Library

[19]

D. V. Miller and R. W. Baldwin. 1990. Access control by Boolean expression evaluation. In Proceedings of the 5th Annual Computer Security Applications Conference. 131--139.

[20]

A. Pluhar. 2009. Greedy colorings of uniform hypergraphs. Random Structures and Algorithms 35, 2 (2009), 137--270.

Digital Library

[21]

A. Roy, S. Sural, and A. K. Majumdar. 2012. Minimum user requirement in role based access control with separation of duty constraints. In Proceedings of the 12th International Conference on Intelligent Systems Design and Applications. 386--391.

[22]

A. Roy, S. Sural, and A. K. Majumdar. 2014. Impact of multiple t-t SMER constraints on minimum user requirement in RBAC. In Proceedings of the 10th International Conference on Information Systems Security. 109--128.

[23]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. 1996. Role-based access control models. IEEE Computer 29, 2 (1996), 38--47.

Digital Library

[24]

J. Schmidt-Pruzan, E. Shamir, and E. Upfal. 1985. Random hypergraph coloring algorithms and the weak chromatic number. Journal of Graph Theory 9, 3 (1985), 347--362.

[25]

L. Snyder. 1977. On the synthesis and analysis of protection systems. In Proceedings of the 6th ACM Symposium on Operating Systems Principles. 141--150.

Digital Library

[26]

R. K. Thomas and R. S. Sandhu. 1994. Conceptual foundations for a model of task-based authorizations. In Proceedings of the Computer Security Foundations Workshop. 66--79.

[27]

R. K. Thomas and R. S. Sandhu. 1997. Task-based authorization controls (TBAC): A family of models for active and enterprise-oriented authorization management. In Proceedings of the IFIP International Conference on Data and Application Security and Privacy. 166--181.

Digital Library

[28]

J. Vaidya, V. Atluri, and Q. Guo. 2007. The role mining problem: Finding a minimal descriptive set of roles. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT’07). 175--184.

Digital Library

[29]

Q. Wang and N. Li. 2007. Satisfiability and resiliency in workflow systems. In Proceedings of the 12th European Symposium on Research in Computer Security. 90--105.

Digital Library

[30]

Q. Wang and N. Li. 2010. Satisfiability and resiliency in workflow authorization systems. ACM Transactions on Information and System Security 13, 4 (2010), 40:1--40:35.

Digital Library

[31]

X. Zhao, C. Liu, S. Yongchareon, M. Kowalkiewicz, and W. Sadiq. 2015. Role-based process view derivation and composition. ACM Transactions on Management Information Systems 6, 2 (2015), 7:1--7:24.

Digital Library

[32]

H. Zhu and M. Zhou. 2008. Roles in information systems: A survey. IEEE Transactions on Systems, Man and Cybernetics, Part C: Applications and Reviews 38, 3 (2008), 377--396.

Digital Library

Cited By

Zhu FYang CZhu LZuo HGu J(2024)MFC-RMA (Matrix Factorization and Constraints- Role Mining Algorithm): An Optimized Role Mining AlgorithmSymmetry10.3390/sym1608100816:8(1008)Online publication date: 7-Aug-2024
https://doi.org/10.3390/sym16081008
Roy ASural SMajumdar AVaidya JAtluri V(2021)Optimal Employee Recruitment in Organizations under Attribute-Based Access ControlACM Transactions on Management Information Systems10.1145/340395012:1(1-24)Online publication date: 12-Jan-2021
https://dl.acm.org/doi/10.1145/3403950
Roy ASural SMajumdar AVaidya JAtluri V(2021)Enabling Workforce Optimization in Constrained Attribute-Based Access Control SystemsIEEE Transactions on Emerging Topics in Computing10.1109/TETC.2019.29447879:4(1901-1913)Online publication date: 1-Oct-2021
https://doi.org/10.1109/TETC.2019.2944787
Show More Cited By

Index Terms

Minimizing Organizational User Requirement while Meeting Security Constraints
1. Human-centered computing
  1. Human computer interaction (HCI)

Recommendations

Goal Oriented Requirement Engineering: A Critical Study of Techniques
APSEC '06: Proceedings of the XIII Asia Pacific Software Engineering Conference

The term "Goal" is increasingly being used in Requirement Engineering. Goal-Oriented requirement engineering (GORE) provides an incremental approach for elicitation, analysis, elaboration & refinement, specification and modeling of requirements. Various ...
Capturing behavior coordination in goal-oriented requirement engineering
SEA '07: Proceedings of the 11th IASTED International Conference on Software Engineering and Applications

Goal-Oriented Requirement Engineering (GORE) methodologies use goals to facilitate elicitation, elaboration, analysis, and specification of the required behaviors for software. Traditional GORE approaches focus on the goal refinement and requirement ...
Visual Requirement Specification In End-User Participation
MERE '06: Proceedings of the First International Workshop on Multimedia Requirements Engineering

End-user participation in requirements engineering (RE) is important, but not frequently used at the moment. Reasons are the large expenditure of time for organizing and carrying out surveys as well as the time it takes to understand the users' ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Management Information Systems

ACM Transactions on Management Information Systems Volume 6, Issue 3

October 2015

108 pages

ISSN:2158-656X

EISSN:2158-6578

DOI:10.1145/2823403

Editor:
Alexander Tuzhilin
New York University, USA

Issue’s Table of Contents

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 September 2015

Accepted: 01 July 2015

Revised: 01 March 2015

Received: 01 September 2014

Published in TMIS Volume 6, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
320
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)1

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhu FYang CZhu LZuo HGu J(2024)MFC-RMA (Matrix Factorization and Constraints- Role Mining Algorithm): An Optimized Role Mining AlgorithmSymmetry10.3390/sym1608100816:8(1008)Online publication date: 7-Aug-2024
https://doi.org/10.3390/sym16081008
Roy ASural SMajumdar AVaidya JAtluri V(2021)Optimal Employee Recruitment in Organizations under Attribute-Based Access ControlACM Transactions on Management Information Systems10.1145/340395012:1(1-24)Online publication date: 12-Jan-2021
https://dl.acm.org/doi/10.1145/3403950
Roy ASural SMajumdar AVaidya JAtluri V(2021)Enabling Workforce Optimization in Constrained Attribute-Based Access Control SystemsIEEE Transactions on Emerging Topics in Computing10.1109/TETC.2019.29447879:4(1901-1913)Online publication date: 1-Oct-2021
https://doi.org/10.1109/TETC.2019.2944787
Alohaly M(2020)Frameworks for Attribute-Based Access Control (ABAC) Policy Engineeringundefined10.12794/metadc1707241Online publication date: Aug-2020
https://doi.org/10.12794/metadc1707241
Berge PCrampton JGutin GWatrigant R(2020)The Authorization Policy Existence ProblemIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2018.288341617:6(1333-1344)Online publication date: 1-Nov-2020
https://doi.org/10.1109/TDSC.2018.2883416
Sun WSu HLiu H(2019)Role-Engineering Optimization with Cardinality Constraints and User-Oriented Mutually Exclusive ConstraintsInformation10.3390/info1011034210:11(342)Online publication date: 4-Nov-2019
https://doi.org/10.3390/info10110342
Bertolissi Cdos Santos DRanise SBertino ELin DLobo J(2018)Solving Multi-Objective Workflow Satisfiability Problems with Optimization Modulo Theories TechniquesProceedings of the 23nd ACM on Symposium on Access Control Models and Technologies10.1145/3205977.3205982(117-128)Online publication date: 7-Jun-2018
https://dl.acm.org/doi/10.1145/3205977.3205982
Crampton JGutin GKarapetyan DWatrigant R(2017)The bi-objective workflow satisfiability problem and workflow resiliency1Journal of Computer Security10.3233/JCS-1684925:1(83-115)Online publication date: 16-Mar-2017
https://doi.org/10.3233/JCS-16849
Roy ASural SMajumdar AVaidya JAtluri V(2016)On Optimal Employee Assignment in Constrained Role-Based Access Control SystemsACM Transactions on Management Information Systems10.1145/29964707:4(1-24)Online publication date: 15-Dec-2016
https://dl.acm.org/doi/10.1145/2996470

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents