Role-based access control (RBAC) defines the methods complex organizations use to assign their users permis- sions for accessing restricted resources. RBAC assigns users to roles, where roles determine the resources each user can access. The definition of roles, especially when there is a large number of users and many resources to handle, can be a very difficult and time consuming task. The class of tools and methodologies to elicit roles starting from existing user-permission assignments are referred to as role mining. Sometimes, to let the RBAC model be directly deployable in organizations, role mining can also take into account various constraints, like car- dinality and separation of duty. Typically, these constraints are enforced to ease roles’ management and their use is justified as role administration becomes convenient. In this paper, we focus on the User-Distribution cardinality constraint which places a restriction the number of users that can be assigned to a given role. In this scenario, we present a simple heuristic that improves over the state-of-the-art. Furthermore, to address a more realistic situation, we provide the User-Distribution model with the additional constraint that avoids the generation of roles sharing identical set of permissions. Similarly, within this context, we describe a heuristic enabling the computation of a solution in the new model. Additionally, we assess both heuristics’ performances using real-world datasets.
Role mining under User-Distribution cardinality constraint / C. Blundo, S. Cimato. - In: JOURNAL OF INFORMATION SECURITY AND APPLICATIONS. - ISSN 2214-2126. - 78:(2023), pp. 103611.1-103611.13. [10.1016/j.jisa.2023.103611]
Role mining under User-Distribution cardinality constraint
S. Cimato
Co-primo
2023
Abstract
Role-based access control (RBAC) defines the methods complex organizations use to assign their users permis- sions for accessing restricted resources. RBAC assigns users to roles, where roles determine the resources each user can access. The definition of roles, especially when there is a large number of users and many resources to handle, can be a very difficult and time consuming task. The class of tools and methodologies to elicit roles starting from existing user-permission assignments are referred to as role mining. Sometimes, to let the RBAC model be directly deployable in organizations, role mining can also take into account various constraints, like car- dinality and separation of duty. Typically, these constraints are enforced to ease roles’ management and their use is justified as role administration becomes convenient. In this paper, we focus on the User-Distribution cardinality constraint which places a restriction the number of users that can be assigned to a given role. In this scenario, we present a simple heuristic that improves over the state-of-the-art. Furthermore, to address a more realistic situation, we provide the User-Distribution model with the additional constraint that avoids the generation of roles sharing identical set of permissions. Similarly, within this context, we describe a heuristic enabling the computation of a solution in the new model. Additionally, we assess both heuristics’ performances using real-world datasets.
| File | Dimensione | Formato | |
|---|---|---|---|
|
JISA_udcc_main.pdf
accesso aperto
Descrizione: Article
Tipologia:
Pre-print (manoscritto inviato all'editore)
Dimensione
470.9 kB
Formato
Adobe PDF
|
470.9 kB | Adobe PDF | Visualizza/Apri |
|
1-s2.0-S2214212623001953-main.pdf
accesso riservato
Descrizione: Article
Tipologia:
Publisher's version/PDF
Dimensione
1.25 MB
Formato
Adobe PDF
|
1.25 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
