Affiliation:
1. College of Computer Science and Technology, Zhengzhou University of Light Industry, Zhengzhou 450000, China
2. Shangu Cyber Security Technology Co., Ltd., Zhengzhou 450000, China
Abstract
Role-based access control (RBAC) is a widely adopted access control model in various domains for defining security management. Role mining is closely related to role-based access control, as the latter employs role assignments to offer a flexible and scalable approach to managing permissions within an organization. The edge role mining problem (Edge RMP), a variant of the role mining problem (RMP), has long been recognized as an effective strategy for role assignment. Role mining, which groups users with similar access permissions into the same role, bears some resemblance to symmetry. Symmetry categorizes objects or graphics with identical characteristics into one group. Both involve a certain form of “classification” or “induction”. Edge-RMP reduces the associations between users and permissions, thereby lowering the security risks faced by the system. While an algorithm based on Boolean matrix factorization exists for this problem, it fails to further refine the resulting user–role assignment (UA) and role–permission assignment (PA) relationships. Additionally, this algorithm does not address constraint-related issues, such as cardinality constraints, user exclusion constraints, and user capabilities. Furthermore, it demonstrates significant redundancy of roles when handling large datasets, leaving room for further optimization of Edge-RMP results. To address these concerns, this paper proposes the MFC-RMA algorithm based on Boolean matrix factorization. The method achieves significant optimization of Edge-RMP results by handling relationships between roles possessing various permissions. Furthermore, this paper clusters, compresses, modifies, and optimizes the original data based on the similarity between users, ensuring its usability for role mining. Both theoretical and practical considerations are taken into account for different types of constraints, and algorithms are devised to reallocate roles incorporating these constraints, thereby generating UA and PA matrices. The proposed approach yields optimal numbers of generated roles and the sum of the minimum number of generated edges to address the aforementioned issues. Experimental results demonstrate that the algorithm reduces management overhead, provides efficient execution results, and ensures the accuracy of generated roles.
Funder
National Natural Science Foundation of China
the Key Research and Development Special Project of Henan Province
Reference43 articles.
1. Sun, W., Su, H., and Xie, H. (2020). Policy-Engineering Optimization with Visual Representation and Separation-of-Duty Constraints in Attribute-Based Access Control. Future Internet, 12.
2. Deploying ABAC policies using RBAC systems;Batra;J. Comput. Secur.,2019
3. A Thorough Trust and Reputation Based RBAC Model for Secure Data Storage in the Cloud;Ghafoorian;IEEE Trans. Parallel Distrib. Syst.,2019
4. Coyne, E.J. (December, January 30). Role engineering. Proceedings of the First ACM Workshop on Role-Based Access Control, Gaithersburg, MD, USA.
5. Vaidya, J., Atluri, V., and Guo, Q. (2007, January 20–22). The role mining problem: Finding a minimal descriptive set of roles. Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, Sophia Antipolis, France.