Research On Role Mining Algorithm For Access Control

In recent years,role-based access control(RBAC)has quickly become a popular and effective access control method with its own advantages.Unlike traditional access control users who directly obtain permissions,users in RBAC obtain permissions through roles.Since roles are a collection of permissions,the number of roles in the system is much smaller than the number of permissions,so the management of RBAC system is more flexible and effective.As a key part of building RBAC system,role mining has been extensively researched and applied.A series of role mining algorithms have been proposed,but most of the existing role mining algorithms are only for the purpose of obtaining the mining results of the smallest set of roles,without considering To the constraints in the system,the resulting role set can not well express the security policy and user needs in the enterprise.Therefore,it is necessary to introduce some constraints in the role mining algorithm to control the implementation of these strategies and requirements to achieve the security goals required by the RBAC system.This paper conducts an in-depth study on the role mining under the cardinality constraints and separation of duties constraints in RBAC.The main work is as follows:(1)In order to avoid too many permissions in the role and the number of users the role belongs to,which violates the design principles and security policies of the RBAC system,this paper proposes a role mining algorithm based on double constraints.This algorithm converts the user rights allocation relationship into a bipartite graph representation.Under the constraint conditions,the method of finding the minimum complete bipartite graph coverage in the bipartite graph is used to obtain the initial role set,user role allocation relationship and user role constraint that satisfy the permission cardinality constraint and user cardinality constraint.Role permission assignment relationship.But if we get the complete RBAC state,we stillneed to build the role hierarchy,so we use graph optimization to optimize the role set to build the role hierarchy.(2)Separation of duties is an important constraint strategy to prevent fraud in the RBAC system.The existing algorithm is a method to find the minimum number of users under the SMER constraint to obtain the user rights distribution relationship that meets the constraints.But it is actually very challenging to transform SoD constraints into enforceable SMER constraints.Therefore,in this paper,we take the user authorization matrix(UPA)and a set of SoD constraints as input,and find consistent user roles(UA)And role authority(PA)matrix and a set of tt SMER constraints,these constraints can correctly enforce the given SoD constraints,while optimizing the number of roles.The algorithm converts the user permission relationship into a Boolean matrix representation,and uses the permission grouping method to assign SoD constraint information to the role during role mining,to generate a static mutually exclusive role tt SMER(Statically Mutually Exclusive Roles,SMER)constraint set,and use the constraint Set to achieve SoD constraints in the system.(3)Verify the feasibility and effectiveness of the algorithm proposed in this paper through experiments.The experiment uses the existing data set and the simulation data set to test the algorithm proposed in this paper through simulation experiments,and compare and analyze with the existing algorithm.Experimental results show that the role set obtained by the algorithm proposed in this paper can effectively implement the constraint strategy and ensure the security of the RBAC system.