Hybrid Role-Engineering Optimization with Multiple Cardinality Constraints Using Natural Language Processing and Integer Linear Programming Techniques

Abstract

Role-based access control (RBAC) is a widely popular access control mechanism because of its convenience for authorization administration, as well as various security policies, such as separation-of-duty constraints and cardinality constraints. In recent few years, role-engineering technology has emerged as an efficient approach to construct optimal RBAC systems. However, the top-down approaches are labor-intensive and error-prone; the bottom-up approaches lack flexibility and scalability as the organizational requirements change dynamically, and cannot generate valuable or meaningful roles that are relevant to actual application scenarios. Furthermore, most conventional methods do not consider multiple cardinality constraints. To address these issues, this paper proposes a novel hybrid role-engineering method. First, to develop an initial access control system while alleviating manual workloads, we use the natural language processing techniques to extract machine-readable and machine-enforceable access control policies from the top-down natural language requirement documents. Second, to flexibly meet diverse organizational requirements while enhancing the security of role-engineering processes, according to different evaluation measures or optimization objectives, we define several variants of the optimization problem with multiple cardinality constraints via Boolean matrix decomposition and present a unified modelling framework for these variants using integer linear programming technique. Third, to verify whether the constraints can be satisfied in the constructed access control system, we present the heuristic optimization algorithms in the bottom-up ways. The experimental evaluations demonstrate the effectiveness and efficiency of the proposed method.