Role mining based on permission cardinality constraint and user cardinality constraint

Abstract: Constraint is an essential aspect of role‐based access control (RBAC) and is sometimes argued to be the principle motivation for RBAC. However, most of role mining algorithms do not consider the constraint. Furthermore, they just compare the least cost of the authorization process but do not consider how to assess the accuracy of the derived role state, thus, providing the motivation for this work. In this paper, we first define a wide variety of constraints, especially the permission cardinality constraint an… Show more

“…The CPA chooses roles by iteratively picking the role with the largest number of permissions that are yet uncovered and then ensures that no user is assigned more than a given number of roles [38]. In order to limit the maximum number of users or permissions related to a role, Ma et al [26] proposed a role mining algorithm to generate roles based on permission cardinality constraints and user cardinality constraints. In order to simultaneously limit the maximum number of roles assigned to a user and a related permission, Harika et al proposed the two role-optimization methods: Post processing and concurrent processing.…”

“…The PCC [26] states that, for a given set of U of users, set R of roles, and threshold MRC permission , the number of roles to which any permission can be assigned should not exceed MRC permission . This can be formalized as follows:…”

“…Meanwhile, it is observed in Section 1 and Section 2 that the methods proposed by Kumar et al [35] and Blundo et al [36] only satisfied the cardinality constraint RPC; the method proposed by Hingankar et al [37] only satisfied the RUC; the CPA and RPA proposed by John et al [38] only satisfied the UCC; the method proposed by Ma et al [26] satisfied the RUC or RPC; the methods proposed by Sarana et al [40] did not satisfy any cardinality constraint but satisfied the SMER constraints; the methods proposed by Harika et al [39] could satisfy the UCC and PCC simultaneously. In addition, the system status was unknown using any of these methods.…”

“…For example, the general-manager role in a company must be assigned to only one person; ordinary users should not have too many roles, otherwise there is the possibility for users to abuse their privileges (e.g., the fewer roles assigned to the permission of opening a safe, the better). There are four different types of cardinality constraints [26]: (1) User-role cardinality constraint (UCC), (2) permission-role cardinality constraint (PCC), (3) role-user cardinality constraint (RUC), and (4) role-permission cardinality constraint (RPC). In the approaches for role optimization with cardinality constraints, most existing methods not only do not consider more than one constraint, but also cannot determine whether other security constraints are met in the constructed RBAC system.…”

Role-Engineering Optimization with Cardinality Constraints and User-Oriented Mutually Exclusive Constraints

“…The CPA chooses roles by iteratively picking the role with the largest number of permissions that are yet uncovered and then ensures that no user is assigned more than a given number of roles [38]. In order to limit the maximum number of users or permissions related to a role, Ma et al [26] proposed a role mining algorithm to generate roles based on permission cardinality constraints and user cardinality constraints. In order to simultaneously limit the maximum number of roles assigned to a user and a related permission, Harika et al proposed the two role-optimization methods: Post processing and concurrent processing.…”

“…The PCC [26] states that, for a given set of U of users, set R of roles, and threshold MRC permission , the number of roles to which any permission can be assigned should not exceed MRC permission . This can be formalized as follows:…”

“…Meanwhile, it is observed in Section 1 and Section 2 that the methods proposed by Kumar et al [35] and Blundo et al [36] only satisfied the cardinality constraint RPC; the method proposed by Hingankar et al [37] only satisfied the RUC; the CPA and RPA proposed by John et al [38] only satisfied the UCC; the method proposed by Ma et al [26] satisfied the RUC or RPC; the methods proposed by Sarana et al [40] did not satisfy any cardinality constraint but satisfied the SMER constraints; the methods proposed by Harika et al [39] could satisfy the UCC and PCC simultaneously. In addition, the system status was unknown using any of these methods.…”

“…For example, the general-manager role in a company must be assigned to only one person; ordinary users should not have too many roles, otherwise there is the possibility for users to abuse their privileges (e.g., the fewer roles assigned to the permission of opening a safe, the better). There are four different types of cardinality constraints [26]: (1) User-role cardinality constraint (UCC), (2) permission-role cardinality constraint (PCC), (3) role-user cardinality constraint (RUC), and (4) role-permission cardinality constraint (RPC). In the approaches for role optimization with cardinality constraints, most existing methods not only do not consider more than one constraint, but also cannot determine whether other security constraints are met in the constructed RBAC system.…”

Role-Engineering Optimization with Cardinality Constraints and User-Oriented Mutually Exclusive Constraints

“…Other papers examined the permission-distribution cardinality constraint, which is the dual of the role-usage constraint and restricts the number of roles to which a permission can belong to [14]. Sometimes, multiple cardinality constraints have been considered [3], [14], [21], [24].…”

Managing Constraints in Role Based Access Control

Role Mining in the Presence of Separation of Duty Constraints