Abstract
Temporal role-based access control (TRBAC) extends role-based access control to limit the times at which roles are enabled. This paper presents a new algorithm for mining high-quality TRBAC policies from timed ACLs (i.e., ACLs with time limits in the entries) and optionally user attribute information. Such algorithms have potential to significantly reduce the cost of migration from timed ACLs to TRBAC. The algorithm is parameterized by the policy quality metric. We consider multiple quality metrics, including number of roles, weighted structural complexity (a generalization of policy size), and (when user attribute information is available) interpretability, i.e., how well role membership can be characterized in terms of user attributes. Ours is the first TRBAC policy mining algorithm that produces hierarchical policies, and the first that optimizes weighted structural complexity or interpretability. In experiments with datasets based on real-world ACL policies, our algorithm is more effective than previous algorithms at their goal of minimizing the number of roles.
Highlights
Role-based access control (RBAC) offers significant advantages over lower-level access control policy representations, such as access control lists (ACLs)
An RBAC policy is a tuple User, Perm, Role, UA, PA, RH, where User is a set of users, Perm is a set of permissions, Role is a set of roles, UA ⊆ U × Role is the user-role assignment, PA ⊆ Role × Perm is the permission-role assignment, and RH ⊆ Role ×Role is the role inheritance relation
A Temporal role-based access control (TRBAC) policy π is consistent with a temporal user-permission assignment (TUPA) T if they grant the same permissions to the same users for the same sets of time intervals
Summary
Role-based access control (RBAC) offers significant advantages over lower-level access control policy representations, such as access control lists (ACLs). This paper presents an algorithm for mining hierarchical TRBAC policies It is parameterized by a policy quality metric. For each ACL policy, we mine an RBAC policy from the ACLs and synthetic attribute data using Xu and Stoller’s elimination algorithm [11], pseudorandomly extend the RBAC policy with temporal information numerous times to obtain TRBAC policies, expand the TRBAC policies into equivalent TUPAs, mine a TRBAC policy from each TUPA and fixed attribute data, and compare the average quality of the resulting TRBAC policies with the quality of the original TRBAC policy, with the goal that the former is at least as good as the latter. In experiments using WSC-INT as the policy quality metric, our algorithm succeeds in finding the implicit structure in the TUPA, producing policies with comparable (for the first dataset) or moderately higher (for the second dataset) WSC and better interpretability, on average, compared with the original TRBAC policy. We experimentally evaluated the benefits of some design decisions and quantified the cost-quality trade-off provided by a parameter to our algorithm that limits the number of candidate roles
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
