A business-driven decomposition methodology for role mining

Alessandro Colantonio*, Roberto Di Pietro, Nino Vincenzo Verde

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

20 Scopus citations

Abstract

It is generally accepted that role mining - that is, the discovery of roles through the automatic analysis of data from existing access control systems - must count on business requirements to increase its effectiveness. Indeed, roles elicited without leveraging on business information are unlikely to be intelligible by system administrators. A business-oriented categorization of users and permissions (e.g., organizational units, job titles, cost centers, business processes, etc.) could help administrators identify the job profiles of users and, as a consequence, which roles should be assigned to them. Nonetheless, most of the existing role mining techniques yield roles that have no clear relationship with the business structure of the organization where the role mining is being applied. To face this problem, we propose a methodology that allows role engineers to leverage business information during the role finding process. The key idea is decomposing the dataset to analyze into several partitions, in a way that each partition is homogeneous from a business perspective. Each partition groups users or permissions with the same business categorization (e.g., all the users belonging to the same department, or all the permissions that support the execution of the same business process). Such partitions are then role-mined independently, hence achieving three main results: (1) elicited roles have a clearer relationship with business information; (2) mining algorithms do not seek to find commonalities among users with fundamentally different job profiles or among uncorrelated permissions; and, (3) any role mining algorithm can be used in conjunction with our approach. When several business attributes are available, analysts need to figure out which one produces the decomposition that leads to the most intelligible roles. In this paper, we describe three indexes that drive the decomposition process by measuring the quality of a given decomposition: entrustability, minability gain, and similarity gain. We compare these indexes, pointing out pros and cons. Finally, we apply our methodology on real enterprise data, showing its effectiveness and efficiency in supporting role engineering.

Original languageEnglish (US)
Pages (from-to)844-855
Number of pages12
JournalComputers and Security
Volume31
Issue number7
DOIs
StatePublished - Oct 2012

Bibliographical note

Funding Information:
This work has been carried out with the support of ACC1O, the Catalan Business Comptitiveness Support Agency.

Keywords

  • Business relevance
  • Data partitioning
  • RBAC
  • Role engineering
  • Role mining

ASJC Scopus subject areas

  • General Computer Science
  • Law

Fingerprint

Dive into the research topics of 'A business-driven decomposition methodology for role mining'. Together they form a unique fingerprint.

Cite this