Migrating from DAC to RBAC

  • Emre UzunEmail author
  • David Lorenzi
  • Vijayalakshmi Atluri
  • Jaideep Vaidya
  • Shamik Sural
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9149)


Role Based Access Control (RBAC) is one of the most popular means for enforcing access control. One of the main reasons for this is that it is perceived as the least expensive configuration with respect to security administration. In this paper, we demonstrate that security administration is not always cheaper under RBAC when compared to the traditional Discretionary Access Control (DAC). If RBAC proves to be beneficial, organizations may choose to migrate from DAC to RBAC. There have been many algorithms developed to generate RBAC configurations from DAC configuration. Although these algorithms provide an RBAC configuration, the quality of the generated RBAC configuration could vary among different algorithms and DAC configurations. In this paper, we propose a decision support framework, which provides a basis for comparison among different potential RBAC derivations from DAC to determine the most desirable outcome with respect to the cost of security administration.


Administrative Cost Access Control Model Role Base Access Control Role Assignment Exclusive Role 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work is supported in part by NSF under grant number 1018414.


  1. 1.
    Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: Taming role mining complexity in RBAC. Comput. Secur. 29(5), 548–564 (2010)CrossRefGoogle Scholar
  2. 2.
    Colantonio, A., Di Pietro, R., Verde, N.V.: A business-driven decomposition methodology for role mining. Comput. Secur. 31(7), 844–855 (2012)CrossRefGoogle Scholar
  3. 3.
    Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., Tarjan, R.E.: Fast exact and heuristic methods for role minimization problems. In: SACMAT, pp. 1–10 (2008)Google Scholar
  4. 4.
    Frank, M., Buhman, J.M., Basin, D.: Role mining with probabilistic models. ACM Trans. Inf. Syst. Secur. (TISSEC) 15(4), 15 (2013)CrossRefGoogle Scholar
  5. 5.
    Guo, Q., Vaidya, J., Atluri, V.: The role hierarchy mining problem: Discovery of optimal role hierarchies. In: ACSAC, pp. 237–246. IEEE (2008)Google Scholar
  6. 6.
    Huang, H., Shang, F., Liu, J., Du, H.: Handling least privilege problem and role mining in RBAC. J. Comb. Optim. 1–24 (2013). doi: 10.1007/s10878-013-9633-9
  7. 7.
    Huang, H., Shang, F., Zhang, J.: Approximation algorithms for minimizing the number of roles and administrative assignments in RBAC. In: COMPSACW, pp. 427–432. IEEE (2012)Google Scholar
  8. 8.
    Kuhlmann, M., Shohat, D., Schimpf, G.: Role mining - revealing business roles for security administration using data mining technology. In: SACMAT (2003)Google Scholar
  9. 9.
    Lu, H., Hong, Y., Yang, Y., Duan, L., Badar, N.: Towards user-oriented RBAC model. In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 81–96. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  10. 10.
    Lu, H., Vaidya, J., Atluri, V.: Optimal boolean matrix decomposition: application to role engineering. In: ICDE, pp. 297–306 (2008)Google Scholar
  11. 11.
    Mitra, B., Sural, S., Atluri, V., Vaidya, J.: Toward mining of temporal roles. In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 65–80. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  12. 12.
    Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., Lobo, J.: Mining roles with semantic meanings. In: SACMAT, pp. 21–30. ACM (2008)Google Scholar
  13. 13.
    Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., Lobo, J.: Mining roles with multiple objectives. TISSEC 13(4), 36 (2010)CrossRefGoogle Scholar
  14. 14.
    Molloy, I., Li, N., Li, T., Mao, Z., Wang, Q., Lobo, J.: Evaluating role mining algorithms. In: SACMAT (2009)Google Scholar
  15. 15.
    Schaad, A., Moffett, J., Jacob, J.: The role-based access control system of a european bank: a case study and discussion. In: SACMAT, pp. 3–9 (2001)Google Scholar
  16. 16.
    Schlegelmilch, J., Steffens, U.: Role mining with orca. In: SACMAT (2005)Google Scholar
  17. 17.
    Tassey, G., Gallaher, M.P., OConnor, A.C., Kropp, B.: The economic impact of role-based access control. Econ. Anal. (2002)Google Scholar
  18. 18.
    Uzun, E., Atluri, V., Lu, H., Vaidya, J.: An optimization model for the extended role mining problem. In: Li, Y. (ed.) DBSec. LNCS, vol. 6818, pp. 76–89. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  19. 19.
    Vaidya, J., Atluri, V., Guo, Q.: The role mining problem: Finding a minimal descriptive set of roles. In: SACMAT, pp. 175–184 (2007)Google Scholar
  20. 20.
    Vaidya, J., Atluri, V., Guo, Q.: The role mining problem: a formal perspective. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(3), 27 (2010)CrossRefGoogle Scholar
  21. 21.
    Vaidya, J., Atluri, V., Warner, J.: Roleminer: mining roles using subset enumeration. In: CCS, pp. 144–153 (2006)Google Scholar
  22. 22.
    Vaidya, J., Atluri, V., Warner, J., Guo, Q.: Role engineering via prioritized subset enumeration. TDSC 7(3), 300–314 (2010)Google Scholar
  23. 23.
    Verde, N.V., Vaidya, J., Atluri, V., Colantonio, A.: Role engineering: from theory to practice. In: DBSec, pp. 181–192. ACM (2012)Google Scholar
  24. 24.
    Xu, Z., Stoller, S.D.: Algorithms for mining meaningful roles. In: SACMAT, pp. 57–66. ACM (2012)Google Scholar
  25. 25.
    Zhang, D., Ramamohanarao, K., Versteeg, S., Zhang, R.: Graph based strategies to role engineering. In: CSIIRW, p. 25. ACM (2010)Google Scholar
  26. 26.
    Zhang, D., Ramamohanrao, K., Ebringer, T.: Role engineering using graph optimisation. In: SACMAT, pp. 139–144 (2007)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Emre Uzun
    • 1
    Email author
  • David Lorenzi
    • 1
  • Vijayalakshmi Atluri
    • 1
  • Jaideep Vaidya
    • 1
  • Shamik Sural
    • 2
  1. 1.MSIS DepartmentRutgers Business SchoolNewarkUSA
  2. 2.School of Information TechnologyIIT KharagpurKharagpurIndia

Personalised recommendations