RoleMiner: Mining roles using subset enumeration

Research output: Contribution to journalConference articlepeer-review

174 Scopus citations

Abstract

Role engineering, the task of defining roles and associating permissions to them, is essential to realize the full benefits of the role-based access control paradigm. Essentially, there are two basic approaches to accomplish this: the top-down and the bottom-up. The top-down approach relies on a careful analysis of the business processes to define job functions and then specify appropriate roles from them. While this approach can aid in defining roles more accurately, it is tedious and time consuming since it requires that the semantics of the business processes be well understood. Moreover, it ignores existing permissions within an organization and does not utilize them. On the other hand, the bottom-up approach starts with existing permissions and attempts to derive roles from them, thus helping to automate role definition. In this paper, we present an unsupervised approach called RoleMiner that mines roles from existing user-permission assignments. Since a role is nothing but a set of permissions, when no semantics are available, the task of role mining is essentially that of clustering users that have same (or similar) permissions. However, unlike the traditional applications of data mining that ideally require identification of non-overlapping clusters, roles will have overlapping permission needs and thus permission sets that define roles should be allowed to overlap. It is this distinction from traditional clustering that makes the problem of role mining non-trivial. Our experiments with real and simulated data sets indicate that our role mining process is quite accurate and efficient.

Original languageEnglish (US)
Article number1180424
Pages (from-to)144-153
Number of pages10
JournalProceedings of the ACM Conference on Computer and Communications Security
DOIs
StatePublished - 2006
EventCCS 2006: 13th ACM Conference on Computer and Communications Security - Alexandria, VA, United States
Duration: Oct 30 2006Nov 3 2006

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Keywords

  • RBAC
  • Role engineering
  • Role mining

Fingerprint

Dive into the research topics of 'RoleMiner: Mining roles using subset enumeration'. Together they form a unique fingerprint.

Cite this