Role-based access control (RBAC) defines the methods complex organizations use to assign permissions for accessing resources to their users. RBAC assigns users to roles, and roles define the resources each user can access. Defining roles when there is a large number of users and many resources to handle could very hard. Hence, data mining techniques can be used to automatically propose candidate roles. The class of class of tools and methodologies to elicit roles starting from existing user-permission assignments are referred to as role mining. Sometime, to let the RBAC model directly deployable in organizations, role mining can also consider various constraints like cardinality and separation of duty. In general, constraints are enforced to easy roles’ management and their use is justified as role administration becomes convenient.
We concentrate on the User-Distribution cardinality constraint. Such a constraint assumes that only a maximum number of users can be assigned a given role. In this scenario, we present a simple heuristic (DuplicateUDCC) that improves over the state of the art ones. Moreover, to consider a more realistic scenario, we propose to add another constraint to the User-Distribution model. Namely, we impose that the role mining procedure cannot generate two roles having the same set of permissions. We also describe a heuristic (StrictUDCC) to compute a solution in the new model. Heuristics' performances have been evaluated using real-world datasets. The Python code available in the folder UDCC implements both heuristics.
The heuristic StrictUDCC has been tested using real-world datasets that were publicly available from HP labs [1]. Such datasets can also be found in the folder datasets. The heuristic DuplicateUDCC starts from a solution (referred to as decomposition) of the role mining problem in the unconstrained setting, then the heuristic manages to fix the cases where the constraint is violated. The decompositions used to test the heuristic DuplicateUDCC are obtained by applying state of the art role mining heuristics for the unconstrained setting to the real-world datasets available in the folder datasets. The computed decompositions can be found in the folder decompositions.
The complete set of experiments is available in the pdf file Additional Material.pdf.
[1] A. Ene, W.G. Horne, N. Milosavljevic, P. Rao, R. Schreiber, and R.E. Tarjan
Fast exact and heuristic methods for role minimization problems
ACM SACMAT 2008, pp. 1–10