Abstract
Role engineering, the task of defining roles and associating permissions to them, is essential to realize the full benefits of the role-based access control paradigm. Essentially, there are two basic approaches to accomplish this: the top-down and the bottom-up. The top-down approach relies on a careful analysis of the business processes to define job functions and then specify appropriate roles from them. While this approach can aid in defining roles more accurately, it is tedious and time consuming since it requires that the semantics of the business processes be well understood. Moreover, it ignores existing permissions within an organization and does not utilize them. On the other hand, the bottom-up approach starts with existing permissions and attempts to derive roles from them, thus helping to automate role definition. In this paper, we present an unsupervised approach called RoleMiner that mines roles from existing user-permission assignments. Since a role is nothing but a set of permissions, when no semantics are available, the task of role mining is essentially that of clustering users that have same (or similar) permissions. However, unlike the traditional applications of data mining that ideally require identification of non-overlapping clusters, roles will have overlapping permission needs and thus permission sets that define roles should be allowed to overlap. It is this distinction from traditional clustering that makes the problem of role mining non-trivial. Our experiments with real and simulated data sets indicate that our role mining process is quite accurate and efficient.
Original language | English (US) |
---|---|
Article number | 1180424 |
Pages (from-to) | 144-153 |
Number of pages | 10 |
Journal | Proceedings of the ACM Conference on Computer and Communications Security |
DOIs | |
State | Published - 2006 |
Event | CCS 2006: 13th ACM Conference on Computer and Communications Security - Alexandria, VA, United States Duration: Oct 30 2006 → Nov 3 2006 |
All Science Journal Classification (ASJC) codes
- Software
- Computer Networks and Communications
Keywords
- RBAC
- Role engineering
- Role mining