Abstract
Role-based access control is widely accepted as a best practice to effectively limit system access to authorized users only. To enhance benefits, the role definition process must count on business requirements. Role mining represents an essential tool for role engineers, but most of the existing techniques cannot elicit roles with an associated clear business meaning. To this end, we propose a methodology where the dataset is decomposed into smaller subsets that are homogeneous from a business perspective. We introduce the entrustability index that provides, for a given partition, the expected uncertainty in locating homogeneous set of users and permissions that are manageable with the same role. Therefore, by choosing the decomposition with the highest entrustability value, we most likely identify roles with a clear business meaning. The proposed methodology is rooted on information theory, and experiments on real enterprise data support its effectiveness.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
ANSI/INCITS 359-2004, Information Technology – Role Based Access Control (2004)
Colantonio, A., Di Pietro, R., Ocello, A.: A cost-driven approach to role engineering. In: Proc. ACM SAC, pp. 2129–2136 (2008)
Colantonio, A., Di Pietro, R., Ocello, A.: Leveraging lattices to improve role mining. In: Proc. IFIP SEC, pp. 333–347 (2008)
Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: A formal framework to elicit roles with business meaning in RBAC systems. In: Proc. ACM SACMAT, pp. 85–94 (2009)
Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: ABBA: Adaptive bicluster-based approach to impute missing values in binary matrices. In: Proc. ACM SAC, pp. 1027–1034 (2010)
Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: Taming role mining complexity in RBAC. Computers & Security. In: Challenges for Security, Privacy & Trust (2010)
Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: Taming role mining complexity in RBAC. Computers & Security. Challenges for Security, Privacy & Trust (2010)
Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley-Interscience, Hoboken (2006)
Coyne, E.J.: Role-engineering. In: Proc. ACM RBAC, pp. 15–16 (1995)
Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., Tarjan, R.E.: Fast exact and heuristic methods for role minimization problems. In: Proc. ACM SACMAT, pp. 1–10 (2008)
Frank, M., Streich, A.P., Basin, D., Buhmann, J.M.: A probabilistic approach to hybrid role mining. In: Proc. ACM CCS, pp. 101–111 (2009)
Heikinheimo, H., Vreeken, J., Siebes, A., Mannila, H.: Low-entropy set selection. In: Proc. SIAM SDM, pp. 569–580 (2009)
Kuhlmann, M., Shohat, D., Schimpf, G.: Role mining – revealing business roles for security administration using data mining technology. In: Proc. ACM SACMAT, pp. 179–186 (2003)
Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., Lobo, J.: Mining roles with semantic meanings. In: Proc. ACM SACMAT, pp. 21–30 (2008)
Molloy, I., Li, N., Li, T., Mao, Z., Wang, Q., Lobo, J.: Evaluating role mining algorithms. In: Proc. ACM SACMAT, pp. 95–104 (2009)
Neumann, G., Strembeck, M.: A scenario-driven role engineering process for functional RBAC roles. In: Proc. ACM SACMAT, pp. 33–42 (2002)
Röckle, H., Schimpf, G., Weidinger, R.: Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In: Proc. ACM RBAC, vol. 3, pp. 103–110 (2000)
Schlegelmilch, J., Steffens, U.: Role mining with ORCA. In: Proc. ACM SACMAT, pp. 168–176 (2005)
Tatti, N.: Maximum entropy based significance of itemsets. Knowledge and Information Systems 17(1), 57–77 (2008)
Vaidya, J., Atluri, V., Warner, J.: RoleMiner: mining roles using subset enumeration. In: Proc. ACM CCS, pp. 144–153 (2006)
Zhang, D., Ramamohanarao, K., Ebringer, T.: Role engineering using graph optimisation. In: Proc. ACM SACMAT, pp. 139–144 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 IFIP International Federation for Information Processing
About this paper
Cite this paper
Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V. (2010). Mining Business-Relevant RBAC States through Decomposition. In: Rannenberg, K., Varadharajan, V., Weber, C. (eds) Security and Privacy – Silver Linings in the Cloud. SEC 2010. IFIP Advances in Information and Communication Technology, vol 330. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15257-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-15257-3_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15256-6
Online ISBN: 978-3-642-15257-3
eBook Packages: Computer ScienceComputer Science (R0)