Evolving role definitions through permission invocation patterns

Wen Zhang, You Chen, Carl Gunter, David Liebovitz, Bradley Malin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In role-based access control (RBAC), roles are traditionally defined as sets of permissions. Roles specified by administrators may be inaccurate, however, such that data mining methods have been proposed to learn roles from actual permission utilization. These methods minimize variation from an information theoretic perspective, but they neglect the expert knowledge of administrators. In this paper, we propose a strategy to enable a controlled evolution of RBAC based on utilization. To accomplish this goal, we extend a subset enumeration framework to search candidate roles for an RBAC model that addresses an objective function which balances administrator beliefs and permission utilization. The rate of role evolution is controlled by an administrator-specified parameter. To assess effectiveness, we perform an empirical analysis using simulations, as well as a real world dataset from an electronic medical record system (EMR) in use at a large academic medical center (over 8000 users, 140 roles, and 140 permissions). We compare the results with several state-of-the-art role mining algorithms using 1) an outlier detection method on the new roles to evaluate the homogeneity of their behavior and 2) a set-based similarity measure between the original and new roles. The results illustrate our method is comparable to the state-of-the-art, but allows for a range of RBAC models which tradeoff user behavior and administrator expectations. For instance, in the EMR dataset, we find the resulting RBAC model contains 22% outliers and a distance of 0.02 to the original RBAC model when the system is biased toward administrator belief, and 13% outliers and a distance of 0.26 to the original RBAC model when biased toward permission utilization.

Original languageEnglish (US)
Title of host publicationSACMAT 2013 - Proceedings of the 18th ACM Symposium on Access Control Models and Technologies
Pages37-47
Number of pages11
DOIs
StatePublished - Sep 2 2013
Event18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013 - Amsterdam, Netherlands
Duration: Jun 12 2013Jun 14 2013

Publication series

NameProceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Other

Other18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013
CountryNetherlands
CityAmsterdam
Period6/12/136/14/13

Keywords

  • Audit logs
  • Role mining
  • Role-based access control

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Information Systems

Fingerprint Dive into the research topics of 'Evolving role definitions through permission invocation patterns'. Together they form a unique fingerprint.

  • Cite this

    Zhang, W., Chen, Y., Gunter, C., Liebovitz, D., & Malin, B. (2013). Evolving role definitions through permission invocation patterns. In SACMAT 2013 - Proceedings of the 18th ACM Symposium on Access Control Models and Technologies (pp. 37-47). (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT). https://doi.org/10.1145/2462410.2462422