Role Mining to Assist Authorization Governance: How Far Have We Gone?

Role Mining to Assist Authorization Governance: How Far Have We Gone?

Safaà Hachana (Swid Web Performance Service, Rennes, France, & Laboratoire d’Informatique Scientifique et Industrielle, École Nationale Supérieure de Mécanique et d’Aérotechnique, Poitiers, France), Nora Cuppens-Boulahia (Department of Logics in Uses Social Science and Information, Institut-Mines Télécom/Télécom Bretagne, Renne, France, & Swid Web Performance Service, Rennes, France) and Frédéric Cuppens (Department of Logics in Uses Social Science and Information, Institut-Mines Télécom/Télécom Bretagne, Rennes, France)
Copyright: © 2012 |Pages: 20
DOI: 10.4018/jsse.2012100103
OnDemand PDF Download:
$37.50

Abstract

The concept of role has revolutionized the access control systems by making them more efficient and by simplifying their management. Role mining is the discipline of automating the definition of roles in a given access control system. It is a vivid research area, which has attracted a growing interest in the last years. Research on role mining has produced several interesting contributions in this field, and has also raised several related issues toward leveraging them in actual enterprises. This paper is a comprehensive analysis of the main research directions around role mining and the future trends. The authors present the problem of role mining, the current achievements to solve it and the related open issues. With this objective, they define a complete and realistic business process for Role Mining, and the authors sequentially analyze the issues related to each step of the process by investigating the main contributions in the literature. They also point the unhandled issues and we highlight the future perspectives.
Article Preview

Introduction

Access control is part of the basic security mechanisms. It affects a wide area of applications including operating systems, database systems, enterprise resource planning systems, workflow systems, Information Technology systems, and many more security sensitive applications. In the last decades, the “Role Based Access Control model” (RBAC) (Sandhu, Coyne, Feinstein, & Youman, 1996; Ferraiolo, Sandhu, Gavrila, Kuhn, & Chandramouli, 2001) has become the dominant model for access control in both commercial and research fields. By structuring and simplifying the access control management, the RBAC model has proven its ability to bring a substantial enhancement of performance and productivity and has become essential to large enterprises.

Nonetheless, the configuration and deployment of the RBAC model into the organization is still a major difficulty. “Role engineering” refers to the task of structuring the different organization actors into roles and assigning authorizations to them. This task has been fully manual for years. The first approach to role engineering, known as the top-down approach, relies on top-down information and defines roles by decomposition. Security experts have to consider the different use cases, and conduct interviews with business experts and users in order to deeply understand the semantics of business processes. Then, they define the roles by carefully analyzing the business processes and decomposing them into smaller units in a functionally independent manner. The second and less used approach to role engineering is the bottom-up approach. The available bottom-up information, consisting of the deployed access control rules prior to RBAC adoption, is involved. Roles are built by manual aggregation, often in conjunction with the top-down decomposition.

The manual approach to role engineering suffers from several limits. First, it is very expensive. According to a NIST report (Gallaher, O’Connor, & Kropp, 2002), role engineering is estimated to consume 60% of RBAC framework set up and exploitation costs. Second, it is a long process that may last several months. Third, it usually requires the involvement of security access control advisors in the internal business process, which may raise serious security issues. Forth, it does not fully leverage the existing access control framework, since the usage of the bottom-up information remains limited. Finally, it suffers from scalability limits. In a context of dozens of business processes, tens of thousands of users and millions of authorizations, the operation may become unfeasible, and has seldom been done successfully. Thus, relying only on manual role engineering has revealed to be insufficient, not viable, and constitutes a limit to the deployment of the RBAC model in enterprises.

In this context, “role mining” (RM) has presented as the best alternative to traditional role engineering approaches. Indeed, when Kuhlmann et al. (2003) have first suggested automating the bottom-up role engineering approach by using existing data mining techniques to extract the roles from the deployed user permission assignments, this has been a very attractive idea. In fact, it promises to drastically reduce the process cost and complexity. The required time to perform role engineering is likely to decrease from several months with the manual approach to few seconds/hours with the automatic role mining approach. Moreover, the guarantee to take into consideration the existing user-to-permission assignments is an argument that could encourage organizations to move to the usage of RBAC more confidently. Thus, this has been the beginning of intensive research work on role mining.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017): 1 Released, 3 Forthcoming
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing