Permission Set Mining: Discovering Practical and Useful Roles

Role based access control is an efficient and effective way to manage and govern permissions to a large number of users. However, defining a role infrastructure that accurately reflects the internal functionalities and workings of a large enterprise is a challenging task. Recent research has focused on the theoretical components of automated role identification while practical applications for identifying roles remain unsolved.This research proposes a practical data mining heuristic method that is fast, scalable and capable of identifying comprehensive roles and placing them into a hierarchy. Permission set pattern data mining can be used to identify the roles with partial orderings that cover the largest portion of user permissions within a system. We test the algorithm on real user permission assignments as well as on generated data sets. Roles identified in test sets cover up to 85% of user permissions and analysis show the roles offer significant administrative benefit. We find interesting correlations between roles and their relationships and analyse the tradeoffs between identifying roles with complete coverage to identifying roles that are most effective and offer significant administrative benefit.