Alessandro Colantonio

Taming role mining complexity in RBAC

In this paper we address the problem of reducing the role mining complexity in RBAC systems. To this aim, we propose a three steps methodology: first, we associate a weight to roles; second, we identify user-permission assignments that cannot belong to roles with a weight exceeding a given threshold; and third, we restrict the role-finding problem to user-permission assignments identified in the second step. We formally show-the proofs of our results are rooted in graph theory-that this methodology allows role engineers for the elicitation of stable candidate roles, by contextually simplifying the role selection task. Efficient algorithms to implement our strategy are also described. Further, we discuss practical applications of our approach. Finally, we tested our methodology on real dataset. Results achieved confirm both the viability of our proposal and the analytical findings.

Leveraging Lattices to Improve Role Mining

In this paper we provide a new formal framework applicable to role mining algorithms. This framework is based on a rigorous analysis of identifiable patterns in access permission data. In particular, it is possible to derive a lattice of candidate roles from the permission powerset. We formally prove some interesting properties about such lattices. These properties, a contribution on their own, can be applied practically to optimize role mining algorithms. Data redundancies associated with co-occurrences of permissions among users can be easily identified and eliminated, allowing for increased output quality and reduced processing time. To prove the effectiveness of our proposal, we have applied our results to two existing role mining algorithms: Apriori and RBAM. Application of these modified algorithms to a realistic data set consistently reduced running time and, in some cases, also greatly improved output quality; all of which confirmed our analytical findings.

A new role mining framework to elicit business roles and to mitigate enterprise risk

Role-based access control (RBAC) allows to effectively manage the risk derived from granting access to resources, provided that designed roles are business-driven. Role mining represents an essential tool for role engineers, but existing techniques are not able to elicit roles with an associated clear business meaning. Hence, it is difficult to mitigate risk, to simplify business governance, and to ensure compliance throughout the enterprise. To elicit meaningful roles, we propose a methodology where data to analyze are decomposed into smaller subsets according to the provided business information. We introduce two indices, minability and similarity, that drive the decomposition process by providing the expected complexity to find roles with business meaning. The proposed methodology is rooted on a sound theoretical framework. Moreover, experiments on real enterprise data support its effectiveness.

Visual Role Mining: A Picture Is Worth a Thousand Roles

This paper offers a new role engineering approach to Role-Based Access Control (RBAC), referred to as visual role mining. The key idea is to graphically represent user-permission assignments to enable quick analysis and elicitation of meaningful roles. First, we formally define the problem by introducing a metric for the quality of the visualization. Then, we prove that finding the best representation according to the defined metric is a NP-hard problem. In turn, we propose two algorithms: ADVISER and EXTRACT. The former is a heuristic used to best represent the user-permission assignments of a given set of roles. The latter is a fast probabilistic algorithm that, when used in conjunction with ADVISER, allows for a visual elicitation of roles even in absence of predefined roles. Besides being rooted in sound theory, our proposal is supported by extensive simulations run over real data. Results confirm the quality of the proposal and demonstrate its viability in supporting role engineering decisions.

Mining Stable Roles in RBAC

In this paper we address the problem of generating a candidate role-set for an RBAC configuration that enjoys the following two key features: it minimizes the administration cost; and, it is a stable candidate role-set. To achieve these goals, we implement a three steps methodology: first, we associate a weight to roles; second, we identify and remove the user-permission assignments that cannot belong to a role that have a weight exceeding a given threshold; third, we restrict the problem of finding a candidate role-set for the given system configuration using only the user-permission assignments that have not been removed in the second step—that is, user-permission assignments that belong to roles with a weight exceeding the given threshold. We formally show—proof of our results are rooted in graph theory—that this methodology achieves the intended goals. Finally, we discuss practical applications of our approach to the role mining problem.

ABBA: adaptive bicluster-based approach to impute missing values in binary matrices

Missing values frequently pose problems in binary matrices analysis since they can hinder downstream analysis of the datasets. Despite the presence of many imputation methods that have been developed to substitute missing values with estimated values, these available techniques have some common disadvantages: they need to fix some parameters (e.g., number of patterns, number of rows to consider) to estimate missing values---with little theoretical support to determine these parameters---; and, missing values need to be recomputed from scratch as parameters change. In this paper we propose a novel algorithm (ABBA: Adaptive Bicluster-Based Approach) that does not have the above limitations. Further, a formal framework that justifies the rationales behind ABBA is detailed. Finally, experimental results over both synthetic and real data confirm the viability of our approach and the quality of the results, that overcomes the ones achieved by the main competing algorithm (KNN).

A Probabilistic Bound on the Basic Role Mining Problem and Its Applications

The aim of this paper is to describe a new probabilistic approach to the role engineering process for RBAC. We address the issue of minimizing the number of roles, problem known in literature as the Basic Role Mining Problem (basicRMP). We leverage the equivalence of the above issue with the vertex coloring problem. Our main result is to prove that the minimum number of roles is sharply concentrated around its expected value. A further contribution is to show how this result can be applied as a stop condition when striving to find out an approximation for the basicRMP. The proposal can be also used to decide whether it is advisable to undertake the efforts to renew a RBAC state. Both these applications can result in a substantial saving of resources. A thorough analysis using advanced probabilistic tools supports our results. Finally, further relevant research directions are highlighted.

A business-driven decomposition methodology for role mining

It is generally accepted that role mining - that is, the discovery of roles through the automatic analysis of data from existing access control systems - must count on business requirements to increase its effectiveness. Indeed, roles elicited without leveraging on business information are unlikely to be intelligible by system administrators. A business-oriented categorization of users and permissions (e.g., organizational units, job titles, cost centers, business processes, etc.) could help administrators identify the job profiles of users and, as a consequence, which roles should be assigned to them. Nonetheless, most of the existing role mining techniques yield roles that have no clear relationship with the business structure of the organization where the role mining is being applied. To face this problem, we propose a methodology that allows role engineers to leverage business information during the role finding process. The key idea is decomposing the dataset to analyze into several partitions, in a way that each partition is homogeneous from a business perspective. Each partition groups users or permissions with the same business categorization (e.g., all the users belonging to the same department, or all the permissions that support the execution of the same business process). Such partitions are then role-mined independently, hence achieving three main results: (1) elicited roles have a clearer relationship with business information; (2) mining algorithms do not seek to find commonalities among users with fundamentally different job profiles or among uncorrelated permissions; and, (3) any role mining algorithm can be used in conjunction with our approach. When several business attributes are available, analysts need to figure out which one produces the decomposition that leads to the most intelligible roles. In this paper, we describe three indexes that drive the decomposition process by measuring the quality of a given decomposition: entrustability, minability gain, and similarity gain. We compare these indexes, pointing out pros and cons. Finally, we apply our methodology on real enterprise data, showing its effectiveness and efficiency in supporting role engineering.

Role engineering: from theory to practice

Role Based Access Control (RBAC) is the de facto standard in access control models, and is widely used in many applications and organizations of all sizes. However, the task of finding an appropriate set of roles, called role engineering, remains the most challenging roadblock to effective deployment. In recent years, this problem has attracted a lot of attention, with several bottom-up approaches being proposed, under the field of role mining. However, most of these theoretical approaches cannot be directly applied to large scale datasets, which is where they are most necessary. Therefore, in this paper, we look at how to make role mining practical and usable for actual deployment. We propose a six steps methodology that makes role mining scalable without sacrificing on utility and is agnostic to the actual role mining technique used. The experimental evaluation validates the viability of our approach.

Mining Business-Relevant RBAC States through Decomposition

Role-based access control is widely accepted as a best practice to effectively limit system access to authorized users only. To enhance benefits, the role definition process must count on business requirements. Role mining represents an essential tool for role engineers, but most of the existing techniques cannot elicit roles with an associated clear business meaning. To this end, we propose a methodology where the dataset is decomposed into smaller subsets that are homogeneous from a business perspective. We introduce the entrustability index that provides, for a given partition, the expected uncertainty in locating homogeneous set of users and permissions that are manageable with the same role. Therefore, by choosing the decomposition with the highest entrustability value, we most likely identify roles with a clear business meaning. The proposed methodology is rooted on information theory, and experiments on real enterprise data support its effectiveness.