Searching for just a few words should be enough to get started. If you need to make more complex queries, use the tips below to guide you.
Article type: Research Article
Authors: Vaidya, Jaideep | Atluri, Vijayalakshmi | Guo, Qi | Lu, Haibing
Affiliations: MSIS Department, Rutgers University, 180 University Ave, Newark, NJ 07102, USA. E-mails: jsvaidya@cimic.rutgers.edu, atluri@cimic.rutgers.edu, qiguo@cimic.rutgers.edu, haibing@cimic.rutgers.edu
Abstract: Because of its ease of administration, role-based access control (RBAC) has become the norm to enforcing security in most of today's organizations. For implementing RBAC, it is important to devise a complete and correct set of roles. This task, known as role engineering, has been identified as one of the costliest components in deploying RBAC. A key problem with respect to role engineering is that there is no formal metric for measuring the goodness/interestingness of the devised set of roles. Recently, Vaidya et al. [26], formally define the role mining problem (RMP) as the problem of discovering an optimal set of roles from existing user permissions, and analyze its theoretical bounds. Essentially, given a user-permission assignment (UPA), the basic RMP is to discover the user-role assignment relation (UA) and role-permission assignment relation (PA) such that the number of roles required is minimum. In this paper, we present another interesting and useful problem, called the edge-RMP, with a different minimality objective. The edge-RMP, requires the discovery of a complete and correct set of roles such that the discovered |UA|+|PA| is the minimum possible. Minimal |UA|+|PA| is a useful metric as it would minimize the administrative burden since less number of assignments need to be managed. Although the basic-RMP and the edge-RMP appear to be related problems, we demonstrate with concrete examples that they are, in fact, independent of each other. We prove that the edge-RMP is an NP-hard problem by reducing the known “vertex cover problem” to the decision version of the edge-RMP. Another important contribution of this paper is to provide a binary integer programming solution to this problem by showing that the edge-RMP can be formulated in that form. As a result, one can directly borrow existing implementation solutions for binary integer programming and guide further research in this direction. We also propose a heuristic solution for large scale problems, and experimentally validate our algorithm.
Keywords: RBAC, role engineering, role mining
DOI: 10.3233/JCS-2009-0341
Journal: Journal of Computer Security, vol. 17, no. 2, pp. 211-235, 2009
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
USA
Tel: +1 703 830 6300
Fax: +1 703 830 2300
sales@iospress.com
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
IOS Press
Nieuwe Hemweg 6B
1013 BG Amsterdam
The Netherlands
Tel: +31 20 688 3355
Fax: +31 20 687 0091
info@iospress.nl
For editorial issues, permissions, book requests, submissions and proceedings, contact the Amsterdam office info@iospress.nl
Inspirees International (China Office)
Ciyunsi Beili 207(CapitaLand), Bld 1, 7-901
100025, Beijing
China
Free service line: 400 661 8717
Fax: +86 10 8446 7947
china@iospress.cn
For editorial issues, like the status of your submitted paper or proposals, write to editorial@iospress.nl
如果您在出版方面需要帮助或有任何建, 件至: editorial@iospress.nl