29 research outputs found
An Accurate and Scalable Role Mining Algorithm based on Graph Embedding and Unsupervised Feature Learning
Role-based access control (RBAC) is one of the most widely authorization models used by organizations. In RBAC, accesses are controlled based on the roles of users within the organization. The flexibility and usability of RBAC have encouraged organizations to migrate from traditional discretionary access control (DAC) models to RBAC. The most challenging step in this migration is role mining, which is the process of extracting meaningful roles from existing access control lists. Although various approaches have been proposed to address this NP-complete role mining problem in the literature, they either suffer from low scalability or present heuristics that suffer from low accuracy. In this paper, we propose an accurate and scalable approach to the role mining problem. To this aim, we represent user-permission assignments as a bipartite graph where nodes are users and permissions, and edges are user-permission assignments. Next, we introduce an efficient deep learning algorithm based on random walk sampling to learn low-dimensional representations of the graph, such that permissions that are assigned to similar users are closer in this new space. Then, we use k-means and GMM clustering techniques to cluster permission nodes into roles. We show the effectiveness of our proposed approach by testing it on different datasets. Experimental results show that our approach performs accurate role mining, even for large datasets
Towards Better Understanding of User Authorization Query Problem via Multi-variable Complexity Analysis
User authorization queries in the context of role-based access control have
attracted considerable interest in the last 15 years. Such queries are used to
determine whether it is possible to allocate a set of roles to a user that
enables the user to complete a task, in the sense that all the permissions
required to complete the task are assigned to the roles in that set. Answering
such a query, in general, must take into account a number of factors,
including, but not limited to, the roles to which the user is assigned and
constraints on the sets of roles that can be activated. Answering such a query
is known to be NP-hard. The presence of multiple parameters and the need to
find efficient and exact solutions to the problem suggest that a multi-variate
approach will enable us to better understand the complexity of the user
authorization query problem (UAQ). In this paper, we establish a number of
complexity results for UAQ. Specifically, we show the problem remains hard even
when quite restrictive conditions are imposed on the structure of the problem.
Our FPT results show that we have to use either a parameter with potentially
quite large values or quite a restricted version of UAQ. Moreover, our second
FPT algorithm is complex and requires sophisticated, state-of-the-art
techniques. In short, our results show that it is unlikely that all variants of
UAQ that arise in practice can be solved reasonably quickly in general.Comment: Accepted for publication in ACM Transactions on Privacy and Security
(TOPS
Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control
The study of canonically complete attribute-based access control (ABAC)
languages is relatively new. A canonically complete language is useful as it is
functionally complete and provides a "normal form" for policies. However,
previous work on canonically complete ABAC languages requires that the set of
authorization decisions is totally ordered, which does not accurately reflect
the intuition behind the use of the allow, deny and not-applicable decisions in
access control. A number of recent ABAC languages use a fourth value and the
set of authorization decisions is partially ordered. In this paper, we show how
canonical completeness in multi-valued logics can be extended to the case where
the set of truth values forms a lattice. This enables us to investigate the
canonical completeness of logics having a partially ordered set of truth
values, such as Belnap logic, and show that ABAC languages based on Belnap
logic, such as PBel, are not canonically complete. We then construct a
canonically complete four-valued logic using connections between the generators
of the symmetric group (defined over the set of decisions) and unary operators
in a canonically suitable logic. Finally, we propose a new authorization
language , an extension of PTaCL, which
incorporates a lattice-ordered decision set and is canonically complete. We
then discuss how the advantages of can be
leveraged within the framework of XACML
Managing Break-The-Glass using Situation-oriented authorizations
National audienceThe patient's life is a redline in Healthcare environments. Whenever it comes to danger, such environments reject static authorizations . A common problem "Break The Glass" is known as the act of breaking the static authorization in order to reach the required permission. Healthcare environment is full of different contexts and situations that require the authorizations to be dynamic. Dynamic Authorization is a concept of giving the choice to E-Health authorization system to choose the most suitable permission by considering one's situation. This paper aims at preventing the matter of modifying the policy to make authorizations dynamic. It introduces a simple solution to provide Dynamic Authorization by orienting the authorization system decision using situations. Situations, which are calculated using Complex Event Processing, are integrated to XACML architecture. A Healthcare example proves the efficiency of our approach