Role-based access control (RBAC) defines the methods complex organizations use to assign their users permissions for accessing restricted resources. RBAC assigns users to roles, where roles determine the resources each user can access. The definition of roles, especially when there is a large number of users and many resources to handle, can be a very difficult and time consuming task. The class of tools and methodologies to elicit roles starting from existing user-permission assignments are referred to as role mining. Sometimes, to let the RBAC model be directly deployable in organizations, role mining can also take into account various constraints, like cardinality and separation of duty. Typically, these constraints are enforced to ease roles’ management and their use is justified as role administration becomes convenient. In this paper, we focus on the User-Distribution cardinality constraint which places a restriction the number of users that can be assigned to a given role. In this scenario, we present a simple heuristic that improves over the state-of-the-art. Furthermore, to address a more realistic situation, we provide the User-Distribution model with the additional constraint that avoids the generation of roles sharing identical set of permissions. Similarly, within this context, we describe a heuristic enabling the computation of a solution in the new model. Additionally, we assess both heuristics’ performances using real-world datasets.
Read full abstract