Constrained Role Mining
This work addresses the need for more efficient and constrained role definitions in enterprise security systems, though it is incremental as it builds on existing role mining techniques.
The paper tackles the role mining problem in Role Based Access Control by introducing a cardinality constraint that limits the maximum number of permissions per role, and proposes a novel heuristic that shows improved performance in experiments on real and synthetic datasets compared to previous methods.
Role Based Access Control (RBAC) is a very popular access control model, for long time investigated and widely deployed in the security architecture of different enterprises. To implement RBAC, roles have to be firstly identified within the considered organization. Usually the process of (automatically) defining the roles in a bottom up way, starting from the permissions assigned to each user, is called {\it role mining}. In literature, the role mining problem has been formally analyzed and several techniques have been proposed in order to obtain a set of valid roles. Recently, the problem of defining different kind of constraints on the number and the size of the roles included in the resulting role set has been addressed. In this paper we provide a formal definition of the role mining problem under the cardinality constraint, i.e. restricting the maximum number of permissions that can be included in a role. We discuss formally the computational complexity of the problem and propose a novel heuristic. Furthermore we present experimental results obtained after the application of the proposed heuristic on both real and synthetic datasets, and compare the resulting performance to previous proposals