TY - JOUR
T1 - A business-driven decomposition methodology for role mining
AU - Colantonio, Alessandro
AU - Di Pietro, Roberto
AU - Verde, Nino Vincenzo
N1 - Funding Information:
This work has been carried out with the support of ACC1O, the Catalan Business Comptitiveness Support Agency.
PY - 2012/10
Y1 - 2012/10
N2 - It is generally accepted that role mining - that is, the discovery of roles through the automatic analysis of data from existing access control systems - must count on business requirements to increase its effectiveness. Indeed, roles elicited without leveraging on business information are unlikely to be intelligible by system administrators. A business-oriented categorization of users and permissions (e.g., organizational units, job titles, cost centers, business processes, etc.) could help administrators identify the job profiles of users and, as a consequence, which roles should be assigned to them. Nonetheless, most of the existing role mining techniques yield roles that have no clear relationship with the business structure of the organization where the role mining is being applied. To face this problem, we propose a methodology that allows role engineers to leverage business information during the role finding process. The key idea is decomposing the dataset to analyze into several partitions, in a way that each partition is homogeneous from a business perspective. Each partition groups users or permissions with the same business categorization (e.g., all the users belonging to the same department, or all the permissions that support the execution of the same business process). Such partitions are then role-mined independently, hence achieving three main results: (1) elicited roles have a clearer relationship with business information; (2) mining algorithms do not seek to find commonalities among users with fundamentally different job profiles or among uncorrelated permissions; and, (3) any role mining algorithm can be used in conjunction with our approach. When several business attributes are available, analysts need to figure out which one produces the decomposition that leads to the most intelligible roles. In this paper, we describe three indexes that drive the decomposition process by measuring the quality of a given decomposition: entrustability, minability gain, and similarity gain. We compare these indexes, pointing out pros and cons. Finally, we apply our methodology on real enterprise data, showing its effectiveness and efficiency in supporting role engineering.
AB - It is generally accepted that role mining - that is, the discovery of roles through the automatic analysis of data from existing access control systems - must count on business requirements to increase its effectiveness. Indeed, roles elicited without leveraging on business information are unlikely to be intelligible by system administrators. A business-oriented categorization of users and permissions (e.g., organizational units, job titles, cost centers, business processes, etc.) could help administrators identify the job profiles of users and, as a consequence, which roles should be assigned to them. Nonetheless, most of the existing role mining techniques yield roles that have no clear relationship with the business structure of the organization where the role mining is being applied. To face this problem, we propose a methodology that allows role engineers to leverage business information during the role finding process. The key idea is decomposing the dataset to analyze into several partitions, in a way that each partition is homogeneous from a business perspective. Each partition groups users or permissions with the same business categorization (e.g., all the users belonging to the same department, or all the permissions that support the execution of the same business process). Such partitions are then role-mined independently, hence achieving three main results: (1) elicited roles have a clearer relationship with business information; (2) mining algorithms do not seek to find commonalities among users with fundamentally different job profiles or among uncorrelated permissions; and, (3) any role mining algorithm can be used in conjunction with our approach. When several business attributes are available, analysts need to figure out which one produces the decomposition that leads to the most intelligible roles. In this paper, we describe three indexes that drive the decomposition process by measuring the quality of a given decomposition: entrustability, minability gain, and similarity gain. We compare these indexes, pointing out pros and cons. Finally, we apply our methodology on real enterprise data, showing its effectiveness and efficiency in supporting role engineering.
KW - Business relevance
KW - Data partitioning
KW - RBAC
KW - Role engineering
KW - Role mining
UR - http://www.scopus.com/inward/record.url?scp=84864041788&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2012.01.005
DO - 10.1016/j.cose.2012.01.005
M3 - Article
AN - SCOPUS:84864041788
SN - 0167-4048
VL - 31
SP - 844
EP - 855
JO - Computers and Security
JF - Computers and Security
IS - 7
ER -