Mining stable roles in RBAC

Abstract

In this paper we address the problem of generating a candidate role-set for an RBAC configuration that enjoys the following two key features: it minimizes the administration cost; and, it is a stable candidate role-set. To achieve these goals, we implement a three steps methodology: first, we associate a weight to roles; second, we identify and remove the user-permission assignments that cannot belong to a role that have a weight exceeding a given threshold; third, we restrict the problem of finding a candidate role-set for the given system configuration using only the user-permission assignments that have not been removed in the second step-that is, user-permission assignments that belong to roles with a weight exceeding the given threshold. We formally show-proof of our results are rooted in graph theory-that this methodology achieves the intended goals. Finally, we discuss practical applications of our approach to the role mining problem. © IFIP International Federation for Information Processing 2009.