Abstract
Role-based Access Control (RBAC) and Attribute-based access control (ABAC) are the most widely used access control models for mediating controlled access to resources in organizations. In RBAC, permissions are associated with roles, and users are assigned to appropriate roles. Therefore, it is imperative that a proper set of roles is necessary for the efficient deployment of RBAC. Most organizations possess a set of existing user-permission assignments which can be used to create appropriate roles. This process, known as role mining, is an important and challenging task in the deployment of RBAC in any organization. On the other hand, in ABAC, the access decisions depend on the attributes of the various entities and a set of authorization rules (policies). The efficiency of an ABAC model relies upon the strength and correctness of the authorization rules. Similar to role mining in RBAC, the process of constructing an appropriate set of ABAC authorization rules, known as policy engineering, is crucial for the implementation of ABAC. Regardless of the differences in RBAC and ABAC, the problems of role mining in RBAC and policy engineering in ABAC are quite similar and equally important for the corresponding access control models. In this chapter, we explore the role mining problem and the policy engineering problem along with their existing solution strategies and identify future directions of research in these two areas.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrawal, R., Srikant, R.: Fast algorithms for mining association rules in large databases. In: Proceedings of 20th International Conference on Very Large Data Bases (VLDB), pp. 487–499, September 1994
Moses, T., et al.: Extensible access control markup language (XACML) version 2.0. Oasis Standard (2005)
Aziz, B., Foley, S.N., Herbert, J., Swart, G.: Reconfiguring role based access control policies using risk semantics. J. High Speed Netw. 15(3), 261–273 (2006)
Baumgrass, A., Strembeck, M., Rinderle-Ma, S.: Deriving role engineering artifacts from business processes and scenario models. In: Proceedings of 16th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 11–20, June 2011
Bertino, E., Bonatti, P.A., Ferrari, E.: TRBAC: a temporal role-based access control model. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 191–233 (2001)
Biswas, P., Sandhu, R., Krishnan, R.: Label-based access control: an ABAC model with enumerated authorization policy. In: Conference on Data and Applications Security and Privacy, pp. 1–12 (2016)
Blundo, C., Cimato, S.: A simple role mining algorithm. In: Proceedings of 25th ACM Symposium on Applied Computing (SAC), pp. 1958–1962, March 2010
Blundo, C., Cimato, S.: Constrained role mining. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 289–304. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38004-4_19
Chen, L., Crampton, J.: Risk-aware role-based access control. In: Meadows, C., Fernandez-Gago, C. (eds.) STM 2011. LNCS, vol. 7170, pp. 140–156. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29963-6_11
Cobena, G., Abiteboul, S., Marian, A.: Detecting changes in xml documents. In: International Conference on Data Engineering (IDCE), pp. 41–52 (2002)
Colantonio, A., Pietro, R.D., Ocello, A.: A cost-driven approach to role engineering. In: Proceedings of 23rd ACM Symposium on Applied Computing (SAC), pp. 2129–2136, March 2008
Colantonio, A., Pietro, R.D., Ocello, A., Verde, N.V.: A formal framework to elicit roles with business meaning in RBAC systems. In: Proceedings of 14th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 85–94, June 2009
Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: Mining stable roles in RBAC. In: Gritzalis, D., Lopez, J. (eds.) SEC 2009. IAICT, vol. 297, pp. 259–269. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01244-0_23
Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: Mining business-relevant RBAC states through decomposition. In: Rannenberg, K., Varadharajan, V., Weber, C. (eds.) SEC 2010. IAICT, vol. 330, pp. 19–30. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15257-3_3
Colantonio, A., Pietro, R.D., Ocello, A., Verde, N.V.: Taming role mining complexity in RBAC. Comput. Secur. 29(5), 548–564 (2010). Special Issue on Challenges for Security and Privacy and Trust
Colantonio, A., Pietro, R.D., Ocello, A., Verde, N.V.: A new role mining framework to elicit business roles and to mitigate enterprise risk. Decis. Support Syst. (DSS) 50(4), 715–731 (2011)
Colantonio, A., Pietro, R.D., Verde, N.V.: A business-driven decomposition methodology for role mining. Comput. Secur. (COSE) 31(7), 844–855 (2012)
Coyne, E.J.: Role engineering. In: Proceedings of 1st ACM Workshop on Role-Based Access Control (RBAC), pp. 15–16, November 1995
Crook, R., Ince, D., Nuseibeh, B.: Towards an analytical role modelling framework for security requirements. In: Proceedings of 8th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ), pp. 9–10, September 2002
Elliott, A., Knight, S.: Start here: engineering scalable access control systems. In: Proceedings of 21st ACM on Symposium on Access Control Models and Technologies (SACMAT), pp. 113–124, June 2016
Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., Tarjan, R.E.: Fast exact and heuristic methods for role minimization problems. In: Proceedings of 13th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 1–10, June 2008
Epstein, P., Sandhu, R.: Towards a UML based approach to role engineering. In: Proceedings of 4th ACM Workshop on Role-Based Access Control, pp. 135–143, October 1999
Fernandez, E.B., Hawkins, J.C.: Determining role rights from use cases. In: Proceedings of 2nd ACM Workshop on Role-based Access Control (RBAC), pp. 121–125, November 1997
Ferraiolo, D.F., Sandhu, R.S., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)
Frank, M., Buhmann, J.M., Basin, D.: Role mining with probabilistic models. ACM Trans. Inf. Syst. Secur. (TISSEC) 15(4), 1–28 (2013)
Frank, M., Streich, A.P., Basin, D., Buhmann, J.M.: A probabilistic approach to hybrid role mining. In: Proceedings of 16th ACM Conference on Computer and Communications Security (CCS), pp. 101–111, November 2009
Fuchs, L., Pernul, G.: HyDRo – hybrid development of roles. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 287–302. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89862-7_24
Gautam, M., Jha, S., Sural, S., Vaidya, J., Atluri, V.: Constrained policy mining in attribute based access control. In: ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 121–123 (2017)
Guo, Q., Vaidya, J., Atluri, V.: The role hierarchy mining problem: discovery of optimal role hierarchies. In: Proceedings of 24th Annual Computer Security Applications Conference (ACSAC), pp. 237–246, December 2008
Hamming, R.: Error detecting and error correcting codes. Bell Syst. Tech. J. 26(2), 14–160 (1950)
Harika, P., Nagajyothi, M., John, J.C., Sural, S., Vaidya, J., Atluri, V.: Meeting cardinality constraints in role mining. IEEE Trans. Dependable Secur. Comput. (TDSC) 12(1), 71–84 (2015)
Hingankar, M., Sural, S.: Towards role mining with restricted user-role assignment. In: Proceedings of 2nd International Conference on Wireless Communication, Vehicular Technology, Information Theory and Aerospace Electronic Systems Technology (Wireless VITAE), pp. 1–5, February 2011
Hu, J., Khan, K.M., Bai, Y., Zhang, Y.: Constraint-enhanced role engineering via answer set programming. In: Proceedings of 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 73–74, May 2012
Hu, V.C., et al.: Guide to Attribute-Based Access Control (ABAC) definition and considerations. Technical report, NIST Special Publication 800-162, January 2014. http://nvlpubs.nist.gov/nistpubs/-specialpublications/NIST.sp.800-162.pdf
Hu, V.C., et al.: Guide to attribute based access control (ABAC) definition and considerations. National Institute of Standards and Technology Special Publication (2014)
Hu, V.C., Kuhn, D.R., Ferraiolo, D.F.: Attribute-based access control. Computer (IEEE) 48(2), 85–88 (2015)
Huang, C., Sun, J., Wang, X., Si, Y., Wu, D.: Preprocessing the noise in legacy user permission assignment data for role mining - an industrial practice. In: Proceedings of 25th IEEE International Conference on Software Maintenance (ICSM), pp. 403–406, September 2009
Huang, H., Shang, F., Liu, J., Du, H.: Handling least privilege problem and role mining in RBAC. J. Comb. Optim. 30(1), 63–86 (2015)
Huang, H., Shang, F., Zhang, J.: Approximation algorithms for minimizing the number of roles and administrative assignments in RBAC. In: Proceedings of 36th Annual IEEE Computer Software and Applications Conference Workshops (COMPSAC), pp. 427–432, July 2012
Jafarian, J.H., Takabi, H., Touati, H., Hesamifard, E., Shehab, M.: Towards a general framework for optimal role mining: a constraint satisfaction approach. In: Proceedings of 20th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 211–220, June 2015
Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31540-4_4
John, J.C., Sural, S., Atluri, V., Vaidya, J.S.: Role mining under role-usage cardinality constraint. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IAICT, vol. 376, pp. 150–161. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30436-1_13
Kern, A., Kuhlmann, M., Schaad, A., Moffett, J.: Observations on the role life-cycle in the context of enterprise security management. In: Proceedings of 7th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 43–51, June 2002
Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A.: Towards policy engineering for attribute-based access control. In: Bloem, R., Lipp, P. (eds.) INTRUST 2013. LNCS, vol. 8292, pp. 85–102. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-03491-1_6
Kuhlmann, M., Shohat, D., Schimpf, G.: Role mining - revealing business roles for security administration using data mining technology. In: Proceedings of 8th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 179–186, June 2003
Kumar, R., Sural, S., Gupta, A.: Mining RBAC roles under cardinality constraint. In: Proceedings of 6th International Conference on Information Systems Security (ICISS), pp. 171–185, December 2010
Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A.: Towards attribute-based access control policy engineering using risk. In: Bauer, T., Großmann, J., Seehusen, F., Stølen, K., Wendland, M.-F. (eds.) RISK 2013. LNCS, vol. 8418, pp. 80–90. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07076-6_6
Lin, D., Rao, P., Bertino, E., Lobo, J.: An approach to evaluate policy similarity. In: ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 1–10 (2007)
Lin, D., Rao, P., Ferrini, P., Bertino, E., Lobo, J.: A similarity measure for comparing XACML policies. IEEE Trans. Knowl. Data Eng. 25, 1946–1959 (2013)
Lu, H., Hong, Y., Yang, Y., Duan, L., Badar, N.: Towards user-oriented RBAC model. In: Proceedings of 27th International Conference on Data and Applications Security and Privacy (DBSec), pp. 81–96, July 2013
Lu, H., Hong, Y., Yang, Y., Duan, L., Badar, N.: Towards user-oriented RBAC model. J. Comput. Secur. (JCS) 23(1), 107–129 (2015)
Lu, H., Vaidya, J., Atluri, V.: Optimal Boolean matrix decomposition: application to role engineering. In: Proceedings of 24th IEEE International Conference on Data Engineering (ICDE), pp. 297–306, April 2008
Lu, H., Vaidya, J., Atluri, V.: An optimization framework for role mining. J. Comput. Secur. (JCS) 22(1), 1–31 (2014)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19, 461–471 (1976)
Ma, X., Li, R., Lu, Z.: Role mining based on weights. In: Proceedings of 15th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 65–74, June 2010
Miettinen, P., Mielikäinen, T., Gionis, A., Das, G., Mannila, H.: The discrete basis problem. In: Fürnkranz, J., Scheffer, T., Spiliopoulou, M. (eds.) PKDD 2006. LNCS (LNAI), vol. 4213, pp. 335–346. Springer, Heidelberg (2006). https://doi.org/10.1007/11871637_33
Mitra, B., Sural, S., Atluri, V., Vaidya, J.: Toward mining of temporal roles. In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 65–80. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39256-6_5
Mitra, B., Sural, S., Atluri, V., Vaidya, J.: The generalized temporal role mining problem. J. Comput. Secur. 23(1), 31–58 (2015)
Mitra, B., Sural, S., Vaidya, J., Atluri, V.: Mining temporal roles using many-valued concepts. Comput. Secur. 60, 79–94 (2016)
Mitra, B., Sural, S., Vaidya, J., Atluri, V.: Migrating from RBAC to temporal RBAC. IET Inf. Secur. 11, 294–300 (2017)
Mocanu, D.C., Turkmen, F., Liotta, A.: Towards ABAC policy mining from logs with deep learning. In: International Multiconference (2015)
Molloy, I., et al.: Mining roles with semantic meanings. In: Proceedings of 13th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 21–30, June 2008
Molloy, I., et al.: Mining roles with multiple objectives. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(4), 36:1–36:35 (2010)
Molloy, I., Li, N., Qi, Y.A., Lobo, J., Dickens, L.: Mining roles with noisy data. In: Proceedings of 15th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 45–54, June 2010
Molloy, I., Park, Y., Chari, S.: Generative models for access control policies: applications to role mining over logs with attribution. In: Proceedings of 17th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 45–56, June 2012
Narouei, M., Khanpour, H., Takabi, H., Parde, N., Nielsen, R.: Towards a top-down policy engineering framework for attribute-based access control. In: ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 103–114 (2017)
Narouei, M., Takabi, H.: Towards an automatic top-down role engineering approach using natural language processing techniques. In: Proceedings of 20th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 157–160, June 2015
Neumann, G., Strembeck, M.: A scenario-driven role engineering process for functional RBAC roles. In: Proceedings of 7th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 33–42, June 2002
O’Connor, A.C., Loomis, R.J.: 2010 economic analysis of Role-Based Access Control. RTI International report for NIST (2010)
Roeckle, H., Schimpf, G., Weidinger, R.: Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In: Proceedings of 5th ACM Workshop on Role-Based Access Control (RBAC), pp. 103–110, July 2000
Saenko, I., Kotenko, I.: Genetic algorithms for role mining problem. In: Proceedings of 19th International Euromicro Conference on Parallel, Distributed and Network-Based Processing (PDP), pp. 646–650, February 2011
Saenko, I., Kotenko, I.: Design and performance evaluation of improved genetic algorithm for role mining problem. In: Proceedings of 20th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), pp. 269–274, February 2012
Sandhu, R.S.: Lattice-based access control models. Computer 26(11), 9–19 (1993)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)
Sarana, P., Roy, A., Sural, S., Vaidya, J., Atluri, V.: Role mining in the presence of separation of duty constraints. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2015. LNCS, vol. 9478, pp. 98–117. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26961-0_7
Shin, D., Ahn, G., Cho, S., Jin, S.: On modeling system-centric information for role engineering. In: Proceedings of 8th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 169–178, June 2003
Smolensky, P.: Information processing in dynamical systems: foundations of harmony theory. In: Parallel Distributed Processing, pp. 194–281 (1987)
Strembeck, M.: Scenario-driven role engineering. IEEE Secur. Priv. 8(1), 28–35 (2010)
Vaidya, J., Atluri, V., Guo, Q.: The role mining problem: finding a minimal descriptive set of roles. In: Proceedings of 12th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 175–184, June 2007
Vaidya, J., Atluri, V., Guo, Q.: The role mining problem: a formal perspective. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(3), 27:1–27:31 (2010)
Vaidya, J., Atluri, V., Guo, Q., Lu, H.: Edge-RMP: minimizing administrative assignments for role-based access control. J. Comput. Secur. (JCS) 17(2), 211–235 (2009)
Vaidya, J., Atluri, V., Warner, J.: Role miner: mining roles using subset enumeration. In: Proceedings of 13th ACM Conference on Computer and Communications Security (CCS), pp. 144–153, October 2006
Vaidya, J., Atluri, V., Warner, J., Guo, Q.: Role engineering via prioritized subset enumeration. IEEE Trans. Dependable Secur. Comput. (TDSC) 7(3), 300–314 (2010)
Vaidya, J., Shafiq, B., Atluri, V., Lorenzi, D.: A framework for policy similarity evaluation and migration based on change detection. Network and System Security. LNCS, vol. 9408, pp. 191–205. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25645-0_13
Verde, N.V., Vaidya, J., Atluri, V., Colantonio, A.: Role engineering: from theory to practice. In: Proceedings of 2nd ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 181–191, February 2012
Xu, Z., Stoller, S.D.: Algorithms for mining meaningful roles. In: Proceedings of 17th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 57–66, June 2012
Xu, Z., Stoller, S.: Mining attribute-based access control policies from logs. Computing Research Repository - arXiv (2014)
Xu, Z., Stoller, S.: Mining attribute-based access control policies. IEEE Trans. Dependable Secur. Comput. (TDSC) 12, 533–545 (2015)
Zhang, D., Ramamohanarao, K., Ebringer, T.: Role engineering using graph optimisation. In: Proceedings of 14th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 139–144, June 2007
Zhang, D., Ramamohanarao, K., Ebringer, T.: Permission set mining: discovering practical and useful roles. In: Proceedings of 24th Annual Computer Security Applications Conference (ACSAC), pp. 247–256, December 2008
Zhang, W., Chen, Y., Gunter, C., Liebovitz, D., Malin, B.: Evolving role definitions through permission invocation patterns. In: Proceedings of 18th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 37–48, June 2013
Acknowledgements
Research reported in this publication was supported by the National Institutes of Health under award R01GM118574. The work is also supported in part by the National Science Foundation under grant CNS-1624503. The content is solely the responsibility of the authors and does not necessarily represent the official views of the agencies funding the research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Das, S., Mitra, B., Atluri, V., Vaidya, J., Sural, S. (2018). Policy Engineering in RBAC and ABAC. In: Samarati, P., Ray, I., Ray, I. (eds) From Database to Cyber Security. Lecture Notes in Computer Science(), vol 11170. Springer, Cham. https://doi.org/10.1007/978-3-030-04834-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-04834-1_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-04833-4
Online ISBN: 978-3-030-04834-1
eBook Packages: Computer ScienceComputer Science (R0)