Role Mining with Probabilistic Models

TL;DR

This paper introduces probabilistic models for role mining in RBAC systems, framing it as an inference problem to improve role identification accuracy and generalization compared to traditional combinatorial methods.

Contribution

It proposes a novel probabilistic inference approach for role mining, capturing permission assignment processes and modeling conflicts and hierarchies.

Findings

Probabilistic models outperform traditional methods in generalization.

Models effectively capture user-permission assignment patterns.

Experimental results on real-world data validate the approach.

Abstract

Role mining tackles the problem of finding a role-based access control (RBAC) configuration, given an access-control matrix assigning users to access permissions as input. Most role mining approaches work by constructing a large set of candidate roles and use a greedy selection strategy to iteratively pick a small subset such that the differences between the resulting RBAC configuration and the access control matrix are minimized. In this paper, we advocate an alternative approach that recasts role mining as an inference problem rather than a lossy compression problem. Instead of using combinatorial algorithms to minimize the number of roles needed to represent the access-control matrix, we derive probabilistic models to learn the RBAC configuration that most likely underlies the given matrix. Our models are generative in that they reflect the way that permissions are assigned to users in a given RBAC configuration. We additionally model how user-permission assignments that conflict with an RBAC configuration emerge and we investigate the influence of constraints on role hierarchies and on the number of assignments. In experiments with access-control matrices from real-world enterprises, we compare our proposed models with other role mining methods. Our results show that our probabilistic models infer roles that generalize well to new system users for a wide variety of data, while other models' generalization abilities depend on the dataset given.