ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Migrating to optimal RBAC with minimal perturbation
Full text PdfPdf (325 KB)
Source
Symposium on Access Control Models and Technologies archive
Proceedings of the 13th ACM symposium on Access control models and technologies table of contents
Estes Park, CO, USA
SESSION: Role mining table of contents
Pages 11-20  
Year of Publication: 2008
ISBN:978-1-60558-129-3
Authors
Jaideep Vaidya  Rutgers University
Vijayalakshmi Atluri  Rutgers University
Qi Guo  Rutgers University
Nabil Adam  Rutgers University
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 6,   Downloads (12 Months): 138,   Citation Count: 4
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1377836.1377839
What is a DOI?

ABSTRACT

Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role based access control. A key problem related to this is the notion of goodness - when is a set of roles good? Recently, the role mining problem (RMP) has been defined as the problem of discovering an optimal set of roles from existing user permissions. Several different objectives for optimality have been proposed. However, one problem with these definitions is that often organizations already have a deployed set of roles and wish to optimize this set. Even if an optimal set of roles is discovered, if this is widely different, it is impossible to simply throw out the deployed roles and start using the new ones as this may disrupt organizational processes and separation of duty constraints that are defined on roles. Essentially, what is missing is taking role migration cost into account when defining optimality, which would allow us to come up with the best suited set of roles.

In this paper, we define a fundamentally different Role Mining Problem that takes the problem of deployed roles into account. We define the Minimal Perturbation RMP as the problem of discovering an optimal set of roles from existing user permissions that are similar to the currently deployed roles. In order to do this, we discuss the concept of similarity of roles and propose suitable definitions. Solutions also need to be parameterized to set relative weight of similarity and minimality to find the optimal set. We propose a heuristic solution based on the previously developed FastMiner algorithm that meets these requirements. We demonstrate the effectiveness of the algorithm through our experimental results.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Kami Brooks, Migrating to role-based access control, Proceedings of the fourth ACM workshop on Role-based access control, p.71-81, October 28-29, 1999, Fairfax, Virginia, United States  [doi>10.1145/319171.319178]
2
Edward J. Coyne, Role engineering, Proceedings of the first ACM Workshop on Role-based access control, p.4-es, November 30-December 02, 1995, Gaithersburg, Maryland, United States  [doi>10.1145/270152.270159]
 
3
P. Epstein , R. Sandhu, Engineering of Role/Permission Assignments, Proceedings of the 17th Annual Computer Security Applications Conference, p.127, December 10-14, 2001
4
E. B. Fernandez , J. C. Hawkins, Determining role rights from use cases, Proceedings of the second ACM workshop on Role-based access control, p.121-125, November 06-07, 1997, Fairfax, Virginia, United States  [doi>10.1145/266741.266767]
5
David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001  [doi>10.1145/501978.501980]
 
6
M. P. Gallagher, A. O'Connor, and B. Kropp. The economic impact of role-based access control. Planning report 02-1, National Institute of Standards and Technology, March 2002.
7
Axel Kern , Martin Kuhlmann , Andreas Schaad , Jonathan Moffett, Observations on the role life-cycle in the context of enterprise security management, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA  [doi>10.1145/507711.507718]
8
Martin Kuhlmann , Dalia Shohat , Gerhard Schimpf, Role mining - revealing business roles for security administration using data mining technology, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy  [doi>10.1145/775412.775435]
 
9
H. Lu, J. Vaidya, and V. Atluri. Optimal boolean matrix decomposition: Application to role engineering. In IEEE International Conference on Data Engineering, to appear, April 2008.
10
Gustaf Neumann , Mark Strembeck, A scenario-driven role engineering process for functional RBAC roles, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA  [doi>10.1145/507711.507717]
11
Haio Roeckle , Gerhard Schimpf , Rupert Weidinger, Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization, Proceedings of the fifth ACM workshop on Role-based access control, p.103-110, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344308]
 
12
Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
13
Andreas Schaad , Jonathan Moffett , Jeremy Jacob, The role-based access control system of a European bank: a case study and discussion, Proceedings of the sixth ACM symposium on Access control models and technologies, p.3-9, May 2001, Chantilly, Virginia, United States  [doi>10.1145/373256.373257]
14
Jürgen Schlegelmilch , Ulrike Steffens, Role mining with ORCA, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden  [doi>10.1145/1063979.1064008]
 
15
Basit Shafiq , James B. D. Joshi , Elisa Bertino , Arif Ghafoor, Secure Interoperation in a Multidomain Environment Employing RBAC Policies, IEEE Transactions on Knowledge and Data Engineering, v.17 n.11, p.1557-1577, November 2005  [doi>10.1109/TKDE.2005.185]
16
Dongwan Shin , Gail-Joon Ahn , Sangrae Cho , Seunghun Jin, On modeling system-centric information for role engineering, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy  [doi>10.1145/775412.775434]
 
17
D. Thomsen , D. O'Brien , J. Bogle, Role-Based Access Control Framework for Network Enterprises, Proceedings of the 14th Annual Computer Security Applications Conference, p.50, December 07-11, 1998
18
Jaideep Vaidya , Vijayalakshmi Atluri , Qi Guo, The role mining problem: finding a minimal descriptive set of roles, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France  [doi>10.1145/1266840.1266870]
19
Jaideep Vaidya , Vijayalakshmi Atluri , Janice Warner, RoleMiner: mining roles using subset enumeration, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1180405.1180424]

CITED BY  4
Vijay Atluri, Panel on role engineering, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA
Ian Molloy , Ninghui Li , Tiancheng Li , Ziqing Mao , Qihua Wang , Jorge Lobo, Evaluating role mining algorithms, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy
Qun Ni , Jorge Lobo , Seraphin Calo , Pankaj Rohatgi , Elisa Bertino, Automating role-based provisioning by learning from examples, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy
Jaideep Vaidya , Vijayalakshmi Atluri , Qi Guo , Haibing Lu, Edge-RMP: Minimizing administrative assignments for role-based access control, Journal of Computer Security, v.17 n.2, p.211-235, April 2009

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Access controls

Additional Classification:
  H. Information Systems
  H.2 DATABASE MANAGEMENT
      H.2.8 Database applications
          Subjects: Data mining


General Terms:
Security


Keywords:
RBAC, role engineering, role mining

Collaborative Colleagues:
Jaideep Vaidya: colleagues
Vijayalakshmi Atluri: colleagues
Qi Guo: colleagues
Nabil Adam: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player