Permission Set Mining: Discovering Practical and Useful Roles

PDF
0.4MB

Dana Zhang
The University of Melbourne
Australia

Kotagiri Ramamohanarao
The University of Melbourne
Australia

Tim Ebringer
The University of Melbourne
Australia

Trevor Yann
CA Labs
Australia

Abstract:
Role based access control is an efficient and effective way to manage and govern permissions to a large number of users. However, defining a role infrastructure that accurately reflects the internal functionalities and workings of a large enterprise is a challenging task. Recent research has focused on the theoretical components of automated role identification while practical applications for identifying roles remain unsolved.

This research proposes a practical data mining heuristic that is fast, scalable and capable of identifying comprehensive roles and placing them into a hierarchy. Permission set pattern data mining can be used to identify the roles with partial orderings that cover the largest proportion of user permissions within a system. We test the algorithm on real user permission assignments as well as on generated data sets. Roles identified in test sets cover up to to 85% of user permissions and analysis show the roles offer the largest amount of administrative benefit. We find interesting correlations between roles and their relationships and analyse the trade-offs between retaining exact user permission assignment to identifying the most effective roles.