Role mining is a critical step for organizations
that migrate from traditional access control mechanisms to Role Based Access Control
(RBAC). Additional constraints may be imposed while generating roles from a
given user-permission assignment relation. In this paper we consider two such
constraints which are the dual of each other. A role-usage cardinality
constraint limits the maximum number of roles any user can have. Its dual, the
permission-distribution cardinality constraint, limits the maximum number of
roles to which a permission can belong. These two constraints impose mutually
contradictory requirements on user to role and role to permission assignments.
An attempt to satisfy one of the constraints may result in a violation of the
other. We show that the constrained role mining problem is NP-Complete and
present heuristic solutions. Two distinct frameworks are presented in this
paper. In the first approach, roles are initially mined without taking the
constraints into account. The user-role and role-permission assignments are
then checked for constraint violation in a post-processing step, and
appropriately re-assigned, if necessary. In the second approach, constraints
are enforced during the process of role mining. The methods are first applied
on problems that consider the two constraints individually, and then with both
considered together. Both methods are evaluated over a number of real-world
data sets.
No comments:
Post a Comment