A formal approach to the role mining problem

Role-based access control (RBAC) has become the norm for enforcing security since it has been successfully implemented in various commercial systems. Roles, which are nothing but sets of permissions when semantics are unavailable, represent organizational agents that perform certain job functions within the organization. Role engineering, the process of defining a set of roles and associate permissions to them, is essential before all the benefits of RBAC can be realized. There are two basic approaches towards role engineering: top-down and bottom-up. The key problem with the top-down approach is that it is likely to ignore the existing permissions. In addition, the top-down approach calls for a good understanding among various authorities from different disciplines, which makes role engineering tedious, time consuming and very difficult to implement. In contrast, the bottom-up approach automates the role engineering process especially when business semantics are not available. Also, it starts from the existing permissions and aggregates them into roles. Therefore, role engineering by the bottom-up approach is also referred to as role mining. A number of approaches exist for role mining and majority of them employ clustering techniques or their variants to discover roles. An inherent problem with these approaches is that there is no formal notion of goodness/ interestingness of a role. They present heuristic ways to find a set of candidate roles. While offering justifications for the identified roles, there is no integrative view of the entire set of roles. For insightful bottom-up analysis, we need to define interestingness metrics for roles. The objective of this dissertation research is to formally define a list of role mining problems and find the solutions to solve them.Ph.D.Includes bibliographical referencesIncludes vitaby Qi Gu