Delta Analysis of Role-Based Access Control Models
Role-based Access Control (RBAC) is de facto standard for access control in Process-aware Information Systems (PAIS); it grants authorization to users based on roles (i.e. sets of permissions). So far, research has centered on the design and run time aspects of RBAC. An evaluation and verification of a RBAC system (e.g., to evaluate ex post which users acting in which roles were authorized to execute permissions) is still missing. In this paper, we propose delta analysis of RBAC models which compares a prescriptive RBAC model (i.e. how users are expected to work) with a RBAC model (i.e. how users have actually worked) derived from event logs. To do that, we transform RBAC models to graphs and analyze them for structural similarities and differences. Differences can indicate security violations such as unauthorized access. For future work, we plan to investigate semantic differences between RBAC models.
KeywordsAccess Control Delta Analysis Organizational Mining RBAC Security
Unable to display preview. Download preview PDF.
- 1.van der Aalst, W.M.P.: Process Mining: Discovery, Conformance and Enhancement of Business Processes. Springer (2011)Google Scholar
- 3.Accorsi, R., Stocker, T.: On the exploitation of process mining for security audits: the conformance checking case. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing, SAC 2012, pp. 1709–1716. ACM, New York (2012)Google Scholar
- 4.Atluri, V., Warner, J.: Security for workflow systems. In: Handbook of Database Security, pp. 213–230 (2008)Google Scholar
- 5.Baumgrass, A., Strembeck, M.: An approach to bridge the gap between role mining and role engineering via migration guides. In: 2012 Seventh International Conference on Availability, Reliability and Security (ARES), pp. 113–122. IEEE (2012)Google Scholar
- 14.Leitner, M.: Security policies in adaptive process-aware information systems: Existing approaches and challenges. In: 2011 Sixth International Conference on Availability, Reliability and Security (ARES), pp. 686–691. IEEE (2011)Google Scholar
- 15.Leitner, M., Baumgrass, A., Schefer-Wenzl, S., Rinderle-Ma, S., Strembeck, M.: A case study on the suitability of process mining to produce current-state RBAC models. In: La Rosa, M., Soffer, P. (eds.) BPM 2012 Workshops. LNBIP, vol. 132, pp. 719–724. Springer, Heidelberg (2013)CrossRefGoogle Scholar
- 16.Leitner, M., Mangler, J., Rinderle-Ma, S.: SPRINT-Responsibilities: design and development of security policies in process-aware information systems. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA) 2(4), 4–26 (2011)Google Scholar
- 17.Leitner, M., Rinderle-Ma, S., Mangler, J.: AW-RBAC: access control in adaptive workflow systems. In: 2011 Sixth International Conference on Availability, Reliability and Security (ARES), pp. 27–34. IEEE (2011)Google Scholar
- 20.Vaidya, J., Atluri, V., Guo, Q.: The role mining problem: finding a minimal descriptive set of roles. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT 2007, pp. 175–184. ACM, New York (2007)Google Scholar
- 23.Weske, M.: Business Process Management: Concepts, Languages, Architectures. Springer (2007)Google Scholar
- 24.Zhang, D., Ramamohanarao, K., Ebringer, T.: Role engineering using graph optimisation. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT 2007, pp. 139–144. ACM, New York (2007)Google Scholar