Research On Role And Constraint Discovery In Role Engineering

Role-based access control (RBAC) is the most popular access control model at present that has been widely deployed in enterprise security management products. In this security model, a set of permissions are assigned to users through roles. This change on how to assign the permissions often reduces the complexity of access control because the number of users is generally much larger than that of roles in an organization. Furthermore, it can support three well-known security principles:the principle of least privilege, separation of duties and data abstraction. As a solution to facilitate the process to migrate a non-RBAC system to an RBAC system, role engineering is introduced. Essentially, there are two basic approaches towards role engineering:the top-down and the bottom-up. Under the top-down approach, roles are derived by carefully analyzing particular business functions and then assigning the needed permissions to create roles for these business functions. Under the bottom-up approach, roles can be aggregated through permissions automatically from the existing user-permission assignments before RBAC is implemented. Hence, this approach is likely to ignore the business functions of the organization but can generate the architectural structure of RBAC automatically. As a result, the researchers have changed the focus to the bottom-up approach that utilizes the existing user-permission assignments to formulate roles.However, the traditional role mining approach assumes that permissions have the same importance without taking account of their weight within user-permission assignments. Hence, if a permission set that represent important roles is only given together to a small number of users, it may not be identified by the traditional role mining techniques. To this aim, this research tries to assign weight to permission in a feasible way. We introduce the concepts of similarity between both users and permissions, and then propose a similarity matrix to represent the similarity between users and permissions. Then we calculate the weight of permissions based on the similarity. We also present a new weighted role mining algorithm WRM to address the above problem. Finally, we generate the synthetic test data to illustrate the effectiveness of the proposed techniques. As a result, the proposed approach has superior performance to traditional algorithm in both speed and generating relevant roles. Furthermore, while there are many role mining approaches have been proposed recently, none of them considered how to mine constraints. It may fail to reflect the enterprise requirements in the security systems. According to this, we first define a variety of constraints and also propose an anti-association rule mining algorithm to generate the mutually exclusive permissions. It can find mutually exclusive permissions that just scan the database only once, while the traditional association rule mining method need to scan database many times. As a result, the proposed approach has superior performance to traditional algorithm in both speed and generating mutually exclusive permissions based on the experiments.Finally, the principle of least privilege should be enforced after the RBAC system has been constructed. First, we address the problem of theδ-approx principle of least privilege and the minimizing-approx principle of lease privilege in order to consider the constraints and redundancy in the RBAC systems. Furthermore, since more than one role set may satisfy the different principle of least privilege problems. We introduce the weight of permission and role set as the principle to choose from the different sets which can enforce the same principle of least privilege problem. Finally, different algorithm is designed to solve the proposed privilege problems. As has been proved, the proposed approach has superior performance in finding the optimal solution to improve both speed and accuracy.Hence, the constructed RBAC system based on the above method has better interpretability, more security and flexibility. As a result, the research can promote the development of role engineering and accelerate RBAC used in the enterprise security management products.