Due to its exibility, ease of administration and intuitiveness, role-based access control (RBAC) is now part of most operating systems and application software. As a result of its commercial success, it has become a standard to implementing access control in many of today's organizations. However, deploying RBAC requires one to first identify an accurate and complete set of roles, and assign users to roles and permissions to roles. This process, known as role engineering [3], has been identified as one of the costliest components in realizing RBAC [7]. Although the problem of role engineering has been studied since early nineties, a recent surge in interest can be seen equally from academic and industry communities. The primary focus of this panel is to have an in-depth discussion of this problem along several dimensions. The panelists, drawn from both academia and industry, include Gail Ahn (University of North Carolina, Charlotte), Vijay Atluri (Rutgers University), Edward Coyne (Science Applications International Corporation), William Horne (Hewlett-Packard), Axel Kern (Beta Systems), Sylvia Osborn (University of Western Ontario) and Andreas Schaad (SAP Labs), who are experts in role engineering.

The first dimension of discussions will be on the different means of approaching the role engineering problem, which basically include top-down and bottom-up approaches. Under the top-down approach, roles are defined by carefully analyzing and decomposing business processes into smaller units in a functionally independent manner. These functional units are then associated with permissions on information systems. Coyne [3] is the first to describe the role engineering problem, and to present the concepts of the top-down approach. Later, several top-down approaches have been proposed [6, 1, 12, 14, 15, 11, 5, 8, 2]. In contrast, the bottom-up approach utilizes the existing permission assignments to formulate roles. Recently, several solutions have been proposed in this direction [9, 13, 18, 16, 17, 4, 10]. It may also be advantageous to use a hybrid approach, which is a mixture of the top-down and the bottom-up approaches. The focus of the discussion will be on the pragmatics of applying these classes of solutions in real world situations.

Another dimension of discussion will be on the past experiences and current practices employed by organizations in dealing with the role engineering problem, as well as on the opinions of the panelists on the expected practices in future.

Yet another dimension is to tackle this problem from a formal perspective and examine the different variants of the problem. These include devising a minimal but complete and good set of roles, minimal number of user-to-role and role-permission assignments, weaker notions of devising minimal roles [16], and the like. The discussions include formal versus practical solutions, their limitations and issues needing further investigation.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Kami Brooks, Migrating to role-based access control, Proceedings of the fourth ACM workshop on Role-based access control, p.71-81, October 28-29, 1999, Fairfax, Virginia, United States  [doi>10.1145/319171.319178]
	2	E. Coyne and J. Davis. Role Engineering for Enterprise Security Management. Artech House, 2007.
	3	Edward J. Coyne, Role engineering, Proceedings of the first ACM Workshop on Role-based access control, p.4-es, November 30-December 02, 1995, Gaithersburg, Maryland, United States  [doi>10.1145/270152.270159]
	4	Alina Ene , William Horne , Nikola Milosavljevic , Prasad Rao , Robert Schreiber , Robert E. Tarjan, Fast exact and heuristic methods for role minimization problems, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA  [doi>10.1145/1377836.1377838]
	5	P. Epstein , R. Sandhu, Engineering of Role/Permission Assignments, Proceedings of the 17th Annual Computer Security Applications Conference, p.127, December 10-14, 2001
	6	E. B. Fernandez , J. C. Hawkins, Determining role rights from use cases, Proceedings of the second ACM workshop on Role-based access control, p.121-125, November 06-07, 1997, Fairfax, Virginia, United States  [doi>10.1145/266741.266767]
	7	M. P. Gallagher, A. O'Connor, and B. Kropp. The economic impact of role-based access control. Planning report 02-1, National Institute of Standards and Technology, March 2002.
	8	Axel Kern , Martin Kuhlmann , Andreas Schaad , Jonathan Moffett, Observations on the role life-cycle in the context of enterprise security management, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA  [doi>10.1145/507711.507718]
	9	Martin Kuhlmann , Dalia Shohat , Gerhard Schimpf, Role mining - revealing business roles for security administration using data mining technology, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy  [doi>10.1145/775412.775435]
	10	Ian Molloy , Hong Chen , Tiancheng Li , Qihua Wang , Ninghui Li , Elisa Bertino , Seraphin Calo , Jorge Lobo, Mining roles with semantic meanings, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA  [doi>10.1145/1377836.1377840]
	11	Gustaf Neumann , Mark Strembeck, A scenario-driven role engineering process for functional RBAC roles, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA  [doi>10.1145/507711.507717]
	12	Haio Roeckle , Gerhard Schimpf , Rupert Weidinger, Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization, Proceedings of the fifth ACM workshop on Role-based access control, p.103-110, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344308]
	13	Jürgen Schlegelmilch , Ulrike Steffens, Role mining with ORCA, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden  [doi>10.1145/1063979.1064008]
	14	Dongwan Shin , Gail-Joon Ahn , Sangrae Cho , Seunghun Jin, On modeling system-centric information for role engineering, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy  [doi>10.1145/775412.775434]
	15	D. Thomsen , D. O'Brien , J. Bogle, Role-Based Access Control Framework for Network Enterprises, Proceedings of the 14th Annual Computer Security Applications Conference, p.50, December 07-11, 1998
	16	Jaideep Vaidya , Vijayalakshmi Atluri , Qi Guo, The role mining problem: finding a minimal descriptive set of roles, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France  [doi>10.1145/1266840.1266870]
	17	Jaideep Vaidya , Vijayalakshmi Atluri , Qi Guo , Nabil Adam, Migrating to optimal RBAC with minimal perturbation, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA  [doi>10.1145/1377836.1377839]
	18	Jaideep Vaidya , Vijayalakshmi Atluri , Janice Warner, RoleMiner: mining roles using subset enumeration, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1180405.1180424]