ABSTRACT
We describe several new bottom-up approaches to problems in role engineering for Role-Based Access Control (RBAC). The salient problems are all NP-complete, even to approximate, yet we find that in instances that arise in practice these problems can be solved in minutes. We first consider role minimization, the process of finding a smallest collection of roles that can be used to implement a pre-existing user-to-permission relation. We introduce fast graph reductions that allow recovery of the solution from the solution to a problem on a smaller input graph. For our test cases, these reductions either solve the problem, or reduce the problem enough that we find the optimum solution with a (worst-case) exponential method. We introduce lower bounds that are sharp for seven of nine test cases and are within 3.4% on the other two. We introduce and test a new polynomial-time approximation that on average yields 2% more roles than the optimum. We next consider the related problem of minimizing the number of connections between roles and users or permissions, and we develop effective heuristic methods for this problem as well. Finally, we propose methods for several related problems.
- J.A. Bondy and U.S.R. Murty. Graph Theory with Applications. North Holland, 1976. Google ScholarDigital Library
- D. Cornaz and J. Fonlupt. Chromatic characterization of biclique covers. Discrete Mathematics, 306(5):495--507, 2006.Google ScholarDigital Library
- Edward J. Coyne. Role engineering. In RBAC '95: Proceedings of the first ACM Workshop on Role-based access control, page 4. ACM, 1996. Google ScholarDigital Library
- Alina Ene. Biclique Covers of Bipartite Graphs: The Minimum Biclique Cover and Edge Concentration Problems. 2007. Princeton University.Google Scholar
- M.P. Gallagher, A. O'Connor, and B. Kropp. The economic impact of role-based access control. Technical Report Planning Report 02-1, National Institute of Standards and Technology, March 2002.Google Scholar
- Floris Geerts, Bart Goethals, and Taneli Mielikäinen. Tiling databases. In Discovery Science, volume 3245 of Lecture Notes in Computer Science, pages 278--289. Springer-Verlag, 2004.Google Scholar
- John E. Hopcroft and Richard M. Karp. An n 5<over>2 algorithm for maximum matchings in bipartite graphs. SIAM Journal on Computing, 2(4):225--231, 1973.Google ScholarCross Ref
- M. Kuhlmann, D. Shohat, and G. Schimpf. Role mining - revealing business roles for security administration using data mining technology. In SACMAT '03, pages 179--186. ACM Press, 2003. Google ScholarDigital Library
- V.S. Anil Kumar and H. Ramesh. Covering rectilinear polygons with axis-parallel rectangles. SIAM Journal on Computing, 32(6):1509--1541, 2003. Google ScholarDigital Library
- X. Lin. On the computational complexity of edge concentration. Discrete Applied Mathematics, 101(1):197--205, 2000. Google ScholarDigital Library
- C. Lund and M. Yannakakis. On the hardness of approximating minimization problems. JACM, 14(5):960--981, 1994. Google ScholarDigital Library
- A. Mehrotra and M.A. Trick. A column generation approach for graph coloring. INFORMS Journal on Computing, 8(4):344--354, 1996.Google ScholarDigital Library
- H. Muller. Alternating cycle-free matchings. Order, 7(1):11--21, 1990.Google ScholarCross Ref
- J.B. Orlin. Contentment in graph theory: covering graphs with cliques. Indagationes Mathematicae, 39:406--424, 1977.Google ScholarCross Ref
- R. Peeters. The maximum edge biclique is NP-complete. Discrete Applied Mathematics, 131(3):651--654, 2003. Google ScholarDigital Library
- R. Rymon. Method and apparatus for role grouping by shared resource utilization. U.S. Patent Application 20030172161, September 2003.Google Scholar
- J. Schlegelmilch and U. Steffens. Role mining with ORCA. In SACMAT '05, pages 168--176. ACM Press, 2005. Google ScholarDigital Library
- Daluss J. Siewert. Biclique covers and partitions of bipartite graphs and digraphs and related matrix ranks of f0; 1g matrices. PhD thesis, The University of Colorado at Denver, 2000.Google Scholar
- H.U. Simon. On approximate solutions for combinatorial optimization problems. SIAM J. Disc. Math., 3(2):294--310, 1990.Google ScholarCross Ref
- U.S. Department of Veteran's Affairs. Licensed Providers Permission Table. http://www.va.gov/rbac/docs/20050120PermissionTablesLicensedProviders.doc.Google Scholar
- J. Vaidya, V. Atluri, and Q. Guo. The role mining problem: Finding a minimal descriptive set of roles. In SACMAT '07, pages 175--184. ACM Press, 2007. Google ScholarDigital Library
- J. Vaidya, V. Atluri, and J. Warner. Roleminer: Mining roles using subset enumeration. In ACM CCS '06, pages 144--153. ACM Press, 2006. Google ScholarDigital Library
- D. Zhang, K. Ramamohanarao, and T. Ebringer. Role engineering using graph optimisation. In SACMAT'07, pages 139--144. ACM Press, 2007. Google ScholarDigital Library
Index Terms
- Fast exact and heuristic methods for role minimization problems
Recommendations
Role mining with ORCA
SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologiesWith continuously growing numbers of applications, enterprises face the problem of efficiently managing the assignment of access permissions to their users. On the one hand, security demands a tight regime on permissions; on the other hand, users need ...
Mining parameterized role-based policies
CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacyRole-based access control (RBAC) offers significant advantages over lower-level access control policy representations, such as access control lists (ACLs). However, the effort required for a large organization to migrate from ACLs to RBAC can be a ...
An effective role administration model using organization structure
Role-based access control (RBAC) is a well-accepted model for access control in an enterprise environment. When we apply RBAC model to large enterprises, effective role administration is a major issue. ARBAC97 is a well-known solution for decentralized ...
Comments