DocumentCode
1436539
Title
Constraint-Aware Role Mining via Extended Boolean Matrix Decomposition
Author
Lu, Haibing ; Vaidya, Jaideep ; Atluri, Vijayalakshmi ; Hong, Yuan
Author_Institution
Dept. of Oper. Manage. & Inf. Syst., Santa Clara Univ., Santa Clara, CA, USA
Volume
9
Issue
5
fYear
2012
Firstpage
655
Lastpage
669
Abstract
The role mining problem has received considerable attention recently. Among the many solutions proposed, the Boolean matrix decomposition (BMD) formulation has stood out, which essentially discovers roles by decomposing the binary matrix representing user-to-permission assignment (UPA) into two matrices-user-to-role assignment (UA) and permission-to-role assignment (PA). However, supporting certain embedded constraints, such as separation of duty (SoD) and exceptions, is critical to the role mining process. Otherwise, the mined roles may not capture the inherent constraints of the access control policies of the organization. None of the previously proposed role mining solutions, including BMD, take into account these underlying constraints while mining. In this paper, we extend the BMD so that it reflects such embedded constraints by proposing to allow negative permissions in roles or negative role assignments for users. Specifically, by allowing negative permissions in roles, we are often able to use less roles to reconstruct the same given user-permission assignments. Moreover, from the resultant roles we can discover underlying constraints such as separation of duty constraints. This feature is not supported by any existing role mining approaches. Hence, we call the role mining problem with negative authorizations the constraint-aware role mining problem (CRM). We also explore other interesting variants of the CRM, which may occur in real situations. To enable CRM and its variants, we propose a novel approach, extended Boolean matrix decomposition (EBMD), which addresses the ineffectiveness of BMD in its ability of capturing underlying constraints. We analyze the computational complexity for each of CRM variants and present heuristics for problems that are proven to be NP-hard.
Keywords
Boolean algebra; authorisation; computational complexity; data mining; matrix decomposition; NP-hard; access control policy; binary matrix; computational complexity; constraint-aware role mining problem; duty separation; embedded constraint; extended Boolean matrix decomposition; heuristics; negative permission; negative role assignment; permission-to-role assignment matrix; role-based access control; user-permission assignment; user-to-permission assignment; user-to-role assignment matrix; Authorization; Clustering algorithms; Matrix decomposition; Minimization; Organizations; Vectors; EBMD.; RBAC; constraint-aware role mining;
fLanguage
English
Journal_Title
Dependable and Secure Computing, IEEE Transactions on
Publisher
ieee
ISSN
1545-5971
Type
jour
DOI
10.1109/TDSC.2012.21
Filename
6143956
Link To Document