Research On Big Data Access Control Based On Constraint Role Mining

Role-based access control has become a very popular access model,by creating roles between users and permissions to enable users to indirectly own a specific set of permissions,while roles represent a set of permissions and related policies.Role-based access control can greatly reduce the redundancy in the user rights assignment relationship,and role as an intermediary to prevent users from directly operating permission,which plays a very good role in protecting the security of the management system.The key to implementing rolebased access control is the definition of roles.That is,how to decompose existing user rights assignment relationships into user role assignment relationships and role rights assignment relationships.The process of role definition is called role engineering.There are two ways to carry out.One is the top-down method,which collects relevant information from the business process flow of the enterprise,the job requirements of the company,and the division of labour on the project.Determining the final role,this method requires a large amount of data to be analyzed manually,and has to be negotiated with personnel in the professional field,which is costly.Contrary to this,the bottom-up approach,which analyzes existing relationships between users and permissions,uses techniques such as data mining to define the ultimate role,a process also known as role mining.Although many role mining methods have been proposed,many algorithms do not consider the need to meet the relevant constraints,including three constraints,the first is the separation of duties constraints,which specifies how many people need to complete a task,To prevent the occurrence of fraudulent behaviour;the second is the cardinality constraint,including four: user cardinality constraint,role using cardinality constraint,privilege allocation cardinality constraint and privilege cardinality constraint.The last is a prerequisite constraint that specifies that a user needs to have another role before they can have the role,or a role needs to have another permission before it can have that permission.Starting from the static separation of duties constraints,this paper randomly generates a set of static mutually exclusive role constraints,and proposes a greedy algorithm to select a set of mutually exclusive role pairs from the set of constraints,and define the role as a vertex,if two roles There is a mutually exclusive relationship between the two roles,which ultimately forms a sparse map,and then is dyed by Welch Powell's shading method.The role dyed in the same color is grouped into a group.Assign at least one user,one user cannot have roles in any two groups at the same time,thus achieving separation of duties.The number of groups is the minimum number of users that meet the static separation of duties constraints,which represents the minimum number of individuals required to complete a task in a task with static separation of duties constraints.The related experimental results prove the efficiency and security of the algorithm.For the cardinality constraint,this paper chooses the permission base constraint as the constraint that the role mining is required to satisfy.Taking the access control matrix between the user and the authority as input,two kinds of role mining algorithms satisfying the permission cardinality constraint are proposed.In two algorithms,The rows and columns of the access control matrix are sorted so that the original disordered access control becomes ordered.The first is to mine the role that satisfies the permission cardinality constraint based on the word frequency statistics method.The algorithm defines each user's permission as a string of characters.A string that does not include permission that the user does not have,and then defines each role as a role for each of the permissions,and counts the characters with a higher frequency.The second method is to perform the operation of the permissions of the users of the adjacent rows,and the generated intersection is defined as a candidate character set,and then the candidate character set is iteratively reduced,and the algorithm can be made good result by adjusting the iterative standard.In addition,a role is regenerated separately for permission owned by a small number of users.The experimental data use a common data set.Through comparison experiments,the two algorithms proposed in this paper have achieved excellent results.