Role Mining       


Ian M. Molloy photo

Role Mining - overview

Role-based access control (RBAC) is an attractive and widely used model in enterprise security and identity management products. It offers a conceptually simple way to tie entitlements to business function, reduces the number of relations to be managed and makes administration simpler. The process of role engineering, which is the step of constructing the RBAC systems is the most costly part of adopting a role based system.

The advantages of role-based access control do not come free; according to a NIST study, building an RBAC system is the costliest part of deploying or transitioning to RBAC. The role mining research project aims to reduce the cost of deploying access control policies, especially role-based access control. Our approach focuses on automating the process of discovering roles and provisioning new users by applying data mining and machine learning techniques to existing access control information and deployed policies, attributes describing the users, permissions, and other resources, and the past historical logs. The final objective is to identify any policy misconfigurations, especially those that may impact the security of deployed applications, and discover semantically meaningful roles that accurately reflect the tasks performed by the users over time. This is accomplished by modeling access control policies from two directions: first, we model how a security administrator provisions users and reasons about access control, and try to minimize their workload; and second, we model how users actually use entitlements to perform tasks for an organization, and how these tasks change over time as a user moves through the organization.