A formal framework to elicit roles with business meaning in RBAC systems

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

A formal framework to elicit roles with business meaning in RBAC systems

Full text

Pdf (847 KB)

Source

Symposium on Access Control Models and Technologies archive
Proceedings of the 14th ACM symposium on Access control models and technologies table of contents

Stresa, Italy

SESSION: Role engineering table of contents

Pages 85-94

Year of Publication: 2009

ISBN:978-1-60558-537-6

Authors

Alessandro Colantonio	Engiweb Security, Roma, Italy
Roberto Di Pietro	Università di Roma Tre, Roma, Italy
Alberto Ocello	Engiweb Security, Roma, Italy
Nino Vincenzo Verde	Università di Roma Tre, Roma, Italy

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 20, Downloads (12 Months): 95, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1542207.1542223 What is a DOI?

ABSTRACT

The role-based access control (RBAC) model has proven to be cost effective to reduce the complexity and costs of access permission management. To maximize the advantages offered by RBAC, the role engineering discipline has been introduced. A viable approach is to explore current applications and systems to find de facto roles embedded in existing user permissions, leading to what is usually referred to as role mining. However, a key problem that has not yet been adequately addressed by existing role mining approaches is how to propose roles that have business meaning. In order to do this, we provide a new formal framework that also enjoys practical relevance. In particular, the proposed framework leverages business information - such as business processes and organization structure - to implement role mining algorithms. Our key observation is that a role is likely to be meaningful from a business perspective when it involves activities within the same business process or organizational units within the same branch. To measure the "spreading" of a role among business processes or organization structure, we resort to centrality indices. Such indices are used in our cost-driven approach during the role mining process. Finally, we illustrate the application of the framework through a few examples.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	American National Standards Institute (ANSI) and InterNational Committee for Information Technology Standards (INCITS). ANSI/INCITS 359-2004, Information Technology - Role Based Access Control, 2004.
	2	Alessandro Colantonio , Roberto Di Pietro , Alberto Ocello, A cost-driven approach to role engineering, Proceedings of the 2008 ACM symposium on Applied computing, March 16-20, 2008, Fortaleza, Ceara, Brazil [doi>10.1145/1363686.1364198]
	3	A. Colantonio, R. Di Pietro, and A. Ocello. Leveraging lattices to improve role mining. In Proceedings of the IFIP TC 11 23rd International Information Security Conference, SEC '08, volume 278 of IFIP International Federation for Information Processing, pages 333--347. Springer, 2008.
	4	A. Colantonio, R. Di Pietro, A. Ocello, and N. V. Verde. Mining stable roles in RBAC. In Proceedings of the IFIP TC 11 24th International Information Security Conference, SEC '09, volume 297 of IFIP International Federation for Information Processing, pages 259--269. Springer, 2009.
	5	A. Colantonio, R. Di Pietro, A. Ocello, and N. V. Verde. A probabilistic bound on the basic role mining problem and its applications. In Proceedings of the IFIP TC 11 24th International Information Security Conference, SEC '09, volume 297 of IFIP International Federation for Information Processing, pages 376--386. Springer, 2009.
	6	Edward J. Coyne, Role engineering, Proceedings of the first ACM Workshop on Role-based access control, p.4-es, November 30-December 02, 1995, Gaithersburg, Maryland, United States [doi>10.1145/270152.270159]
	7	R. Crook, D. Ince, and B. Nuseibeh. Towards an analytical role modelling framework for security requirements. In Proceedings of the 8th International Workshop on Requirements Engineering: Foundation for Software Quality, REFSQ '02, 2002.
	8	Kalyanmoy Deb , Deb Kalyanmoy, Multi-Objective Optimization Using Evolutionary Algorithms, John Wiley & Sons, Inc., New York, NY, 2001
	9	Alina Ene , William Horne , Nikola Milosavljevic , Prasad Rao , Robert Schreiber , Robert E. Tarjan, Fast exact and heuristic methods for role minimization problems, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA [doi>10.1145/1377836.1377838]
	10	P. Epstein , R. Sandhu, Engineering of Role/Permission Assignments, Proceedings of the 17th Annual Computer Security Applications Conference, p.127, December 10-14, 2001
	11	E. B. Fernandez , J. C. Hawkins, Determining role rights from use cases, Proceedings of the second ACM workshop on Role-based access control, p.121-125, November 06-07, 1997, Fairfax, Virginia, United States [doi>10.1145/266741.266767]
	12	Mario Frank , David Basin , Joachim M. Buhmann, A class of probabilistic models for role engineering, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA [doi>10.1145/1455770.1455809]
	13	Axel Kern , Martin Kuhlmann , Andreas Schaad , Jonathan Moffett, Observations on the role life-cycle in the context of enterprise security management, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA [doi>10.1145/507711.507718]
	14	Martin Kuhlmann , Dalia Shohat , Gerhard Schimpf, Role mining - revealing business roles for security administration using data mining technology, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy [doi>10.1145/775412.775435]
	15	Ninghui Li , Ji-Won Byun , Elisa Bertino, A Critique of the ANSI Standard on Role-Based Access Control, IEEE Security and Privacy, v.5 n.6, p.41-49, November 2007 [doi>10.1109/MSP.2007.158]
	16	Haibing Lu , Jaideep Vaidya , Vijayalakshmi Atluri, Optimal Boolean Matrix Decomposition: Application to Role Engineering, Proceedings of the 2008 IEEE 24th International Conference on Data Engineering, p.297-306, April 07-12, 2008 [doi>10.1109/ICDE.2008.4497438]
	17	Ian Molloy , Hong Chen , Tiancheng Li , Qihua Wang , Ninghui Li , Elisa Bertino , Seraphin Calo , Jorge Lobo, Mining roles with semantic meanings, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA [doi>10.1145/1377836.1377840]
	18	Gustaf Neumann , Mark Strembeck, A scenario-driven role engineering process for functional RBAC roles, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA [doi>10.1145/507711.507717]
	19	Sejong Oh , Seog Park, Task-role-based access control model, Information Systems, v.28 n.6, p.533-562, September 2003 [doi>10.1016/S0306-4379(02)00029-7]
	20	Sejong Oh , Ravi Sandhu , Xinwen Zhang, An effective role administration model using organization structure, ACM Transactions on Information and System Security (TISSEC), v.9 n.2, p.113-137, May 2006 [doi>10.1145/1151414.1151415]
	21	Najam Perwaiz, Structured management of role-permission relationships, Proceedings of the sixth ACM symposium on Access control models and technologies, p.163-169, May 2001, Chantilly, Virginia, United States [doi>10.1145/373256.373292]
	22	Haio Roeckle , Gerhard Schimpf , Rupert Weidinger, Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization, Proceedings of the fifth ACM workshop on Role-based access control, p.103-110, July 26-28, 2000, Berlin, Germany [doi>10.1145/344287.344308]
	23	Jürgen Schlegelmilch , Ulrike Steffens, Role mining with ORCA, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden [doi>10.1145/1063979.1064008]
	24	Dongwan Shin , Gail-Joon Ahn , Sangrae Cho , Seunghun Jin, On modeling system-centric information for role engineering, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy [doi>10.1145/775412.775434]
	25	Jaideep Vaidya , Vijayalakshmi Atluri , Qi Guo, The role mining problem: finding a minimal descriptive set of roles, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France [doi>10.1145/1266840.1266870]
	26	Jaideep Vaidya , Vijayalakshmi Atluri , Janice Warner, RoleMiner: mining roles using subset enumeration, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA [doi>10.1145/1180405.1180424]
	27	S. Wasserman and K. Faust. Social Network Analysis, chapter 5, pages 169--219. Cambridge University Press, 1994.
	28	Dana Zhang , Kotagiri Ramamohanarao , Tim Ebringer, Role engineering using graph optimisation, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France [doi>10.1145/1266840.1266862]