Role Hierarchy Mining For Role Based Access Control

Role Based Access Control (RBAC), to be used widely, is different from thediscretionary access control (DAC) and mandatory access control (MAC), whichcan overcome their shortcomings. RBAC has been adopted successfully by a varietyof commercial systems, for example large organization, deployment of cloud serversand so on. RBAC policy uses the role and role hierarchies to organize the privilege,making the management of organization more flexible and more convenient. Thequality of the role set is directly related to the organization applying RBAC policysuccessfully or not.Role Hierarchy, a partial order between roles is one of the constraints in RBACpolicy which not only meet the needs of multi-level security, but also reduce thecost of security management. Because the role hierarchy has bottom-up inheritanceand the use has top-down inheritance. Today some role mining algorithms onlyfound the optimal role, having a single objective, not building the inheritancerelationship between roles. However some algorithms had the time complexity ofexponential. Therefore, the role hierarchy mining problem is a worthy subject to bemore studied.First, the paper studies the definition of the role engineering and theimplementation of role engineering, and analysis the existing solution of the rolemining problem.Second, the paper provides the definition of the role hierarchy mining problemand the steps to solve the problem: The first step, Basic Role Mining Problem, findthe Role which has the least number of roles and make the user-role assignment androle-permission assignment fully agree with the initial user-permission assignment;The second step, Role Hierarchy Building Problem, make the RBAC policy overallcomplexity minimum. Based on the above ideas, use the matrix block andintersection operator, difference operation in the set to achieve the Basic RoleMining Problem, and use the directed graph depth-first traversal algorithm toachieve the Role Hierarchy Building Problem, at the same time providing therelevant theoretical proof, at last optimize the construe of the role hierarchy,removing redundant roles. Though the accuracy of hierarchical algorithm is poorer11.9%than HM algorithm, the hierarchical role mining algorithm which can be donein time linear has a time complexityO (U2),U is the initial number of users. HMalgorithm has exponential time complexity.Finally, this paper presents an application system in Active Directory （AD）using the role hierarchy mining algorithm. The system is abstracted the set of permissions in a single domain environment. The system achieves the function ofuser information management, rights information management, informationmanagement roles, as well as displaying the user-permissions, roles-permissionsdistribution relations functions. The system validates the practicality of thealgorithm.