A formal framework to elicit roles with business meaning in RBAC systems

Alessandro Colantonio, Roberto Di Pietro, Alberto Ocello, Nino Vincenzo Verde

Research output: Chapter in Book/Report/Conference proceedingConference contribution

52 Scopus citations


The role-based access con trol (RBAC) model has proven to be cost effective to reduce the complexity and costs of access permission management. To maximize the advantages offered by RBAC, the role engineering discipline has been introduced. A viable approach is to explore current applications and systems to find de facto roles embedded in existing user permissions, leading to what is usually referred to as role mining. However, a key problem that has not yet been adequately addressed by existing role mining approaches is how to propose roles that have business meaning. In order to do this, we provide a new formal framework that also enjoys practical relevance. In particular, the proposed framework leverages business information - such as business processes and organization structure - to implement role mining algorithms. Our key observation is that a role is likely to be meaningful from a business perspective when it involves activities within the same business process or organizational units within the same branch. To measure the " spreading" of a role among business processes or organization structure, we resort to centrality indices. Such indices are used in our cost-driven approach during the role mining process. Finally, we illustrate the application of the framework through a few examples.
Original languageEnglish (US)
Title of host publicationProceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
Number of pages10
StatePublished - Nov 30 2009
Externally publishedYes


Dive into the research topics of 'A formal framework to elicit roles with business meaning in RBAC systems'. Together they form a unique fingerprint.

Cite this