Skip to main content
SpringerLink
Log in

Heuristics for constrained role mining in the post-processing framework

  • Original Research
  • Published:
Journal of Ambient Intelligence and Humanized Computing Aims and scope Submit manuscript

Abstract

Role mining techniques are frequently used to derive a set of roles representing the current organization of a company following the RBAC model and simplifying the definition and the implementation of security policies. Constraints on the resulting roles can be defined to have valid roles, that can be efficiently managed, limiting for example the number of permissions included in a role or the users a role can be assigned to. Since the associated problems are NP hard, several heuristics have been developed to find sub-optimal solutions adopting the concurrent or the post-processing approach. In the first case, assignment matrices are obtained satisfying the given constraints during the computation, while in the second case, the intermediate solutions are obtained without considering the constraints, that are enforced successively. In this paper we present two heuristics for the Permission Usage and Role Usage Cardinality Constraints in the post-processing approach: we consider constraints limiting the number of permissions that can be included in a role in the first case, and the number of roles that can include a permission in the second case, refining the roles produced by some other technique (not considering any constraint). For both heuristics we analyze their performance after their application to some standard datasets, showing the improved results obtained w.r.t. state of the art solutions.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Availability of data and material

All the referenced articles are from reputed publishers. In this paper we used publicly available datasets from HP labs Ene et al. (2008). The datasets analysed during the current study are available in the GitHub repository, https://github.com/RoleMining/ConstrainedRM.

References

  • Blundo C, Cimato S (2010) A simple role mining algorithm. In Proceedings of the 2010 ACM Symposium on Applied Computing (SAC), pages 1958–1962, Sierre, Switzerland. ACM, New York

  • Blundo C, Cimato S (2012) Constrained role mining. In Security and Trust Management - 8th International Workshop, STM 2012, Revised Selected Papers, volume 7783 of Lecture Notes in Computer Science, pages 289–304, Pisa, Italy. Springer

  • Blundo C, Cimato S, Siniscalchi L (2017) PRUCC-RM: permission-role-usage cardinality constrained role mining. In 41st IEEE Annual Computer Software and Applications Conference, COMPSAC 2017, pages 149–154, Volume 2, Turin, Italy. IEEE Computer Society

  • Blundo C, Cimato S, Siniscalchi L (2018) Postprocessing in constrained role mining. In Intelligent Data Engineering and Automated Learning - IDEAL 2018 - 19th International Conference, Proceedings, Part I, pages 204–214, Madrid, Spain

  • Blundo C, Cimato S, Siniscalchi L (2020) Managing constraints in role based access control. IEEE Access 8:140497–140511

    Article  Google Scholar 

  • Blundo C, Cimato S, Siniscalchi L (2021a) Python code and datasets. https://github.com/RoleMining/ConstrainedRM. Accessed: May 11th, 2021

  • Blundo C, Cimato S, Siniscalchi L (2021b) Role Mining Heuristics for Permission-Role-Usage Cardinality Constraints. The Computer Journal

  • Blundo C, Cimato S, Siniscalchi L (2021c) Supplemental material for: Heuristics for constrained role mining in the post-processing framework. https://github.com/RoleMining/ConstrainedRM. Accessed: May 6th, 2021

  • Chen L, Crampton J (2009) Set covering problems in role-based access control. In Computer Security - ESORICS 2009, 14th European Symposium on Research in Computer Security, 2009. Proceedings, volume 5789 of Lecture Notes in Computer Science, pages 689–704, Saint-Malo, France. Springer

  • Ene A, Horne WG, Milosavljevic N, Rao P, Schreiber R, Tarjan RE (2008) Fast exact and heuristic methods for role minimization problems. In 13th ACM Symposium on Access Control Models and Technologies, SACMAT 2008, Proceedings, pages 1–10, Estes Park, CO, USA. ACM

  • Ferraiolo DF, Sandhu RS, Gavrila SI, Kuhn DR, Chandramouli R (2001) Proposed NIST standard for role-based access control. ACM Trans Inf Syst Secur 4(3):224–274

    Article  Google Scholar 

  • Frank M, Basin DA, Buhmann JM (2008) A class of probabilistic models for role engineering. In ACM Conference on Computer and Communications Security, pages 299–310. ACM

  • Garey MR, Johnson DS (1979) A Guide to the Theory of NP-Completeness. Computers Intractability. W.H. Freeman and Company, New York

    MATH  Google Scholar 

  • Harika P, Nagajyothi M, John JC, Sural S, Vaidya J, Atluri V (2015) Meeting cardinality constraints in role mining. IEEE Trans. Dependable Sec. Comput. 12(1):71–84

    Article  Google Scholar 

  • Hingankar M, Sural S (2011) Towards role mining with restricted user-role assignment. In Wireless Communication, Vehicular Technology, Information Theory and Aerospace Electronic Systems Technology (Wireless VITAE), 2011 2nd International Conference on, pages 1–5, Chennai, India. IEEE

  • John JC, Sural S, Atluri V, Vaidya J (2012) Role mining under role-usage cardinality constraint. In Information Security and Privacy Research - 27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012. Proceedings, volume 376 of IFIP Advances in Information and Communication Technology, pages 150–161, Heraklion, Crete, Greece. Springer

  • Kumar R, Sural S, Gupta A (2010) Mining RBAC roles under cardinality constraint. In Information Systems Security - 6th International Conference, ICISS 2010. Proceedings, volume 6503 of Lecture Notes in Computer Science, pages 171–185, Gandhinagar, India, December. Springer

  • Li N, Molloy I, Wang Q, Bertino E, Calo S, Lobo J (2007) Role mining for engineering and optimizing role based access control systems. Technical report, Purdue University, Purdue University

  • Lu H, Hong Y, Yang Y, Duan L, Badar N (2013) Towards user-oriented RBAC model. In Data and Applications Security and Privacy XXVII - 27th Annual IFIP WG 11.3 Conference, DBSec 2013. Proceedings, volume 7964 of Lecture Notes in Computer Science, pages 81–96, Newark, NJ, USA. Springer

  • Lu H, Hong Y, Yang Y, Duan L, Badar N (2015) Towards user-oriented RBAC model. J Comput Secur 23(1):107–129

    Article  Google Scholar 

  • Lu H, Vaidya J, Atluri V (2008) Optimal boolean matrix decomposition: Application to role engineering. In Proceedings of the 24th International Conference on Data Engineering, ICDE 2008., pages 297–306, Cancún, Mexico. IEEE Computer Society

  • Ma X, Li R, Wang H, Li H (2015) Role mining based on permission cardinality constraint and user cardinality constraint. Secur Commun Netw 8(13):2317–2328

    Article  Google Scholar 

  • Mitra B, Sural S, Vaidya J, Atluri V (2016) A survey of role mining. ACM Comput Surv 48(4):1–37

    Article  Google Scholar 

  • Molloy I, Chen H, Li T, Wang Q, Li N, Bertino E, Calo SB, Lobo J (2008) Mining roles with semantic meanings. In 13th ACM Symposium on Access Control Models and Technologies, SACMAT, 2008, Proceedings, pages 21–30, Estes Park, CO, USA. ACM

  • Molloy I, Chen H, Li T, Wang Q, Li N, Bertino E, Calo SB, Lobo J (2010) Mining roles with multiple objectives. ACM Trans. Inf. Syst. Secur., 13(4):36:1–36:35

  • Molloy I, Li N, Li T, Mao Z, Wang Q, Lobo J (2009) Evaluating role mining algorithms. In 14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009, Proceedings, pages 95–104, Stresa, Italy. ACM

  • Saenko I, Kotenko IV (2011) Genetic algorithms for role mining problem. In Proceedings of the 19th International Euromicro Conference on Parallel, Distributed and Network-based Processing, PDP 2011, pages 646–650, Ayia Napa, Cyprus. IEEE Computer Society

  • Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1996) Role-based access control models. Computer 29(2):38–47

    Article  Google Scholar 

  • Sandhu RS, Ferraiolo DF, Kuhn DR (2000) The NIST model for role-based access control: towards a unified standard. In Fifth ACM Workshop on Role-Based Access Control, RBAC 2000, pages 47–63, Berlin, Germany. ACM

  • Vaidya J, Atluri V, Guo Q (2007) The role mining problem: finding a minimal descriptive set of roles. In 12th ACM Symposium on Access Control Models and Technologies, SACMAT 2007, Proceedings, pages 175–184, Sophia Antipolis, France. ACM

  • Vaidya J, Atluri V, Guo Q (2010a) The role mining problem: A formal perspective. ACM Trans. Inf. Syst. Secur., 13(3)

  • Vaidya J, Atluri V, Warner J (2006) Roleminer: mining roles using subset enumeration. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pages 144–153, Alexandria, VA, USA. ACM

  • Vaidya J, Atluri V, Warner J, Guo Q (2010) Role engineering via prioritized subset enumeration. IEEE Trans. Dependable Sec. Comput. 7(3):300–314

    Article  Google Scholar 

  • Young NE (2016) Greedy Set-Cover Algorithms. In: Kao M-Y (ed) Encyclopedia of Algorithms. Springer, pp 886–889

  • Zhang D, Ramamohanarao K, Ebringer T (2007) Role engineering using graph optimisation. In SACMAT ’07: Proceedings of the 12th ACM symposium on Access control models and technologies, pages 139–144, Sophia Antipolis France. ACM

Download references

Funding

Not Applicable

Author information

Authors and Affiliations

  1. Dipartimento Scienze Aziendali - Management & Innovation Systems, Università degli Studi di Salerno, Salerno, Italy

    Carlo Blundo

  2. Dipartimento di Informatica, Università degli Studi di Milano, Milan, Italy

    Stelvio Cimato

  3. Concordium Blockchain Research Center, Aarhus University, Aarhus, Denmark

    Luisa Siniscalchi

Authors
  1. Carlo Blundo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stelvio Cimato
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Luisa Siniscalchi
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

All authors contributed to the the research, to the analysis of the results, and to the writing of the manuscript.

Corresponding author

Correspondence to Carlo Blundo.

Ethics declarations

Conflicts of interest/Competing interests:

The authors declare that they have no conflict of interest and no competing interests.

Code availability

Heuristics have been implemented in Python 3.9 and are available on GitHub at https://github.com/RoleMining/ConstrainedRM.

Ethics approval:

Not Applicable

Consent to participate:

Not Applicable

Consent for publication:

Not Applicable

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary Information

Below is the link to the electronic supplementary material.

Supplementary file (PDF 349 KB)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Blundo, C., Cimato, S. & Siniscalchi, L. Heuristics for constrained role mining in the post-processing framework. J Ambient Intell Human Comput 14, 9925–9937 (2023). https://doi.org/10.1007/s12652-021-03648-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12652-021-03648-1

Keywords

Search

Navigation