Next Article in Journal
Ranking by Relevance and Citation Counts, a Comparative Study: Google Scholar, Microsoft Academic, WoS and Scopus
Previous Article in Journal
Incorporating Background Checks with Sentiment Analysis to Identify Violence Risky Chinese Microblogs

Future Internet 2019, 11(9), 201; https://doi.org/10.3390/fi11090201

Article
Role-Mining Optimization with Separation-of-Duty Constraints and Security Detections for Authorizations
1
Center of Network Information and Computing, Xinyang Normal University, Xinyang 464000, China
2
School of Computer and Technology, Guilin University of Aerospace Technology, Guilin 541000, China
3
School of Computer and Information Technology, Xinyang Normal University, Xinyang 464000, China
*
Author to whom correspondence should be addressed.
Received: 21 August 2019 / Accepted: 16 September 2019 / Published: 19 September 2019

Abstract

:
Role-based access control (RBAC), which has been regarded as one of the most popular access-control mechanisms, is featured by the separation-of-duty constraints, mutually exclusive constraints, and the least-privileges principle. Role mining, a bottom-up role-engineering technology, is an effective method to migrate from a non-RBAC system to an RBAC system. However, conventional role-mining approaches not only do not consider the separation of duty constraints, but also cannot ensure the security of a constructed RBAC system when the corresponding mined results violate the separation of a duty constraint and/or the least-privileges principle. To solve these problems, this paper proposes a novel method called role-mining optimization with separation-of-duty constraints and security detections for authorizations (RMO_SODSDA), which mainly includes two aspects. First, we present a role-mining-optimization approach for satisfying the separation of duty constraints, and we constructed different variants of mutually exclusive constraints to correctly implement the given separation of duty constraints based on unconstrained role mining. Second, to ensure the security of the constructed system and evaluate authorization performance, we reduced the authorization-query problem to a maximal-satisfiability problem. The experiments validate the effectiveness and efficiency of the proposed method.
Keywords:
role engineering; role mining; separation of duty constraints; user authorization query

1. Introduction

With the rapid development of network-information technology and the comprehensive application of cloud computing and big data techniques, there is much storage and there are many exchanges in large-scale and complex information-management systems [1]. The mechanism to ensure the security of system data and user information has attracted much attention. An increasing number of enterprises and organizations have adopted role-based access control (RBAC) as their main access-control mechanism, as it makes security administration more flexible and manageable [2,3,4,5,6,7]. With the successful implementations of RBAC systems, designing an effective, complete set of roles and constructing a good RBAC system have become critical tasks. As a solution to facilitate the process of migrating from a non-RBAC system to an RBAC system, role-engineering technology [8,9] has been proposed. There are two main approaches: top-down [10] and bottom-up [11,12,13,14,15,16]. In the former approach, roles are derived by carefully analyzing particular organization functions. While this approach can reflect the functional requirements of the organization well, it is time-consuming and labor-intensive. In the latter approach, roles are aggregated by applying data-mining techniques from existing user-permission assignments, and the architectural structure of RBAC can be automatically constructed. The bottom-up approach, also known as role mining, has gained considerable interest and popularity in recent years.
Vaidya et al. [17] converted role mining into a matrix-decomposition problem and presented the definition of a basic role mining problem (basic RMP), which attempts to find a minimal set of roles from bottom-user permission assignments and completely cover the original assignments. However, it is difficult to derive an optimal role set in practical applications. Afterward, a variant of basic RMP called δ-approx RMP was proposed in the work of [17], which attempts to find a minimal set of roles by allowing a limited number of mismatches. As a result, it is easy to derive a suboptimal role set. Meanwhile, in min-noise RMP [17], the number of roles is bounded, and the number of mismatches between original assignments and assignments in the constructed system is minimized. According to different optimization objectives for role mining, many other approaches have been proposed, such as edge RMP [18], usage RMP [19], and user-oriented exact RMP [20].
A key characteristic of RBAC is that it allows the specification and enforcement of various constraint policies [21,22,23], such as cardinality constraints and separation-of-duty constraints (also called separation-of-duty policies), which can reflect security policies of different enterprises and organizations and ensure system security. The cardinality constraint limits the maximum number of roles related to users or to permissions, the maximum number of permissions a role can have, or the maximum number of users to which a role can be assigned [14]. Another significant constraint discussed in this paper is the separation-of-duty constraint, which is widely recognized to be a fundamental principle in computer security [14]. Typically, the constraint states that at least k users are required to complete a special task that requires n number of permissions. One approach requires that no (k – 1) users together have all the permissions needed to complete the task [24]. It has been widely used in the banking industry and military systems. In the approach to migrate from a non-RBAC system to an RBAC system, however, an inadequately addressed key challenge is that none of the conventional role-mining methods consider the separation-of-duty constraint.
Furthermore, both the mutually-exclusive-role constraint and the least-privileges principle play important roles [25,26] in evaluating system security and authorization performance in a constructed RBAC system. Because of free and random requests of accessing resources and fuzzy system configurations, it is impossible to find an optimal set of roles that cover all permissions for a given access request. The authorization-query problem [27] proved to be satisfiable, strictly complies with the separation-of-duty constraint, and attempts to derive a role set that can cover as many permissions as possible. Maximal satisfiability (MAX-SAT) is a core research problem of theoretical computer science that has had successful applications in various fields, such as artificial intelligence and model detection [28]. Nevertheless, conventional role-mining methods lack security detections for authorizations in the constructed RBAC system. The following problems exist: on the one hand, different results may conflict with each other and violate the mutually exclusive constraint; on the other hand, different results may include permissions outside the permission request and violate the least-privileges principle.
To address the above problems, this paper proposes a novel method called role-mining optimization with separation-of-duty constraints and security detections for authorizations (RMO_SODSDA). The main contributions of this paper are as follows:
(1)
The separation-of-duty constraint was proved to be effectively enforced by mutually exclusive constraints [24]. In order to satisfy these constraints, we presented a constrained-role optimization approach, we constructed several variants of mutually exclusive constraints to correctly implement the given separation of duty, and we evaluated the effectiveness of RMO_SODSDA.
(2)
As a branch of MAX-SAT, the partial MAX-SAT problem [29] aims to satisfy all hard clauses and as many soft clauses as possible. It is clearly more versatile. In order to ensure system security, based on the previously constructed RBAC system, we converted the authorization-query problem into the partial MAX-SAT and evaluated RMO_SODSDA efficiency.
The rest of the paper is organized as follows. In Section 2, we discuss related work and present preliminaries and basic problem descriptions to understand the rest of the paper. Section 3 proposes a novel method (RMO_SODSDA), including two aspects: (1) presenting role optimization with separation-of-duty constraints and demonstrating how to construct different kinds of mutually-exclusive-role constraints, and (2) reducing the authorization-query problem to partial MAX-SAT and demonstrating how to ensure system security. We show the results of the experimental evaluations in Section 4 and present discussions in Section 5. Section 6 concludes the paper and discusses future work.

2. Related Work

2.1. Role-Mining Methods

Many methods have been proposed for role mining. According to whether or not constraints are considered in the optimization process, existing efforts mainly fall into the following two categories: (1) role mining with no constraint, and (2) role mining with constraints.

2.1.1. Role Mining with No Constraint

Vaidya et al. converted role mining into a matrix-decomposition problem and presented the definition of basic RMP. Basic RMP has been proven to be NP-complete, for which several existing studies have already been done to find efficient solutions. In view of the lack of semantics in mining roles, Molloy et al. [30] introduced semantic information, represented roles’ characteristics with a formal concept lattice, and proposed an optimization algorithm to find roles based on formal semantic analysis that can reflect the requirements of the organization’s functions and enhance the interpretability of mining roles. To optimize the RBAC system, Zhang et al. [31] presented an algorithm using graph-optimization theory, which reduces the administration required for role-related assignments through minimizing the number of edges in the graph. However, it does not research the redundancy of the mining results. Ene et al. [32] used heuristics and graph theory to find as few optimized roles as possible, which can reduce graph representations and the redundancy of mining roles. Lu et al. [19] proposed a unified optimization framework for role mining and presented a number of greedy algorithms that could solve basic RMP, δ-approx RMP, min-noise RMP, and edge RMP based on methods of integer linear programming and Boolean matrix decomposition. Although constraints are essential for the RBAC model, none of the above role-mining methods took constraints into account.

2.1.2. Role Mining with Constraints

In order to avoid abuse of privileges, Kumar et al. [33] proposed the constrained role miner algorithm that limits the number of permissions assigned to a role. Hingankar et al. [34] proposed a biclique-cover method to derive a set of roles that limit the maximum number of users related to a role. For example, the managing-director role in a company must be assigned to only one person. John et al. proposed two alternative approaches for restricting the number of roles assigned to a user: the role priority-based approach (RPA) and the coverage of permissions-based approach (CPA). The RPA prioritizes roles based on their number of permissions, and assigns optimal roles to a user according to the priority order. The CPA chooses roles by iteratively picking the role with the largest number of permissions that are yet uncovered, and then ensures that no user contains more than a given number of roles [35]. In order to simultaneously limit the maximum number of roles assigned to a user and a related permission, Harika et al. [36] imposed these constraints during the process of mining roles and proposed a postprocessing framework and a concurrent processing framework.

2.2. Methods of RBAC Authorizations

In order to obtain permissions while satisfying a collection of constraints for a given authorization request, it is necessary to determine whether a set of roles can be activated in a particular system. Zhang et al. presented the user authorization query (UAQ) problem that adopts a greedy algorithm and a mutually-exclusive-role constraint to search for the objects. The UAQ is to discover a set of roles to be activated in a single session for the particular set of permissions requested by the user [27]. This set of roles must satisfy constraints and follow the least-privileges principle. However, it stops searching once the set of roles does not satisfy the requests. Wickramaarachchi et al. [37] introduced the lower and upper bounds for the requested permissions, respectively, converting the UAQ into the MAX-SAT, finding truth assignments that satisfied as many clauses as possible, and demonstrating its effectiveness using SAT solvers. Lu et al. [28] proposed a novel approach based on role–permission reassignments to support the UAQ, which assists administrators to modify system configurations in an automatic manner. Koshimura et al. [38] presented partial MAX-SAT solver QMaxSAT, which encodes soft clauses with the blocking variables and has been proven to be highly effective. Partial MAX-SAT is an extension of MAX-SAT. It sits between the classical SAT problem and the MAX-SAT problem. While the classical SAT problem requires all clauses to be satisfied, MAX-SAT seeks the maximum number of clauses that can be satisfied, and partial MAX-SAT relaxes this requirement by having certain clauses marked as relaxable and others as nonrelaxable [29].
Obviously, from the above analyses, we can see that there are two limitations in the current research on role-mining optimization. One limitation is that none of them consider the separation-of-duty constraint. If a constructed RBAC system lacks several necessary constraints, then a series of security requirements of the organization are not realized. The second limitation is that they lack security detections for role authorization in the constructed RBAC system. Different results may violate the separation-of-duty constraint and/or the least-privileges principle.

2.3. Preliminaries and Basic Problem Descriptions

2.3.1. Basic Elements of Role Engineering

Conventional role engineering contains the following basic elements [5,6,7]:
(1)
U, P, R, S, DC, UPA, UA, PA, and RH are the basic elements of the RBAC model, which represent a set of users, a set of permissions, a set of roles, a set of sessions, a set of constraints, a many-to-many mapping of user-permission assignments, a many-to-many mapping of user-role assignments, a many-to-many mapping of role–permission assignments, and a partial-order set on roles, respectively;
(2)
Roles(u), Permissions(r), and Perms(u) represent the mapping function of user u onto a set of roles, the mapping function of role r onto a set of permissions, and the mapping function of user u onto a set of permissions, respectively;
(3)
user_session(s), roles_session(s), and perms_session(r) represent the mapping function of session s onto a user, the mapping function of session s onto a set of roles, and the mapping function of role r onto a set of permissions in a session, respectively.

2.3.2. Separation-of-Duty Constraint

Role-static separation-of-duty constraint (k-n RSSOD) [22] states that, given a task consisting of n roles r1, r2,…,rn, at least k users are required together to perform it and have all the n roles; any set of (k – 1) users should not be able to have all the roles. It is expressed as rssod<{r1,r2,…,rn},k>, where each ri is a role, and n and k are integers, such that 2≤kn. It can be formalized as follows:
( u 1 , u 2 , , u k 1 ) U : { r 1 , r 2 , , r n } i = 1 k 1 R o l e s ( u i )

2.3.3. Basic RMP Problem

Given a set of users U, a set of permissions P, and a user-permission assignments matrix UPA, the basic RMP [17] aims to find a set of roles R, a user-role assignments matrix UA, and a role–permission assignments matrix PA, such that the UA and PA are consistent with the UPA, and the number of mining roles |R| is minimized. It can be formalized as follows:
{ min | R | U A P A = U P A

2.3.4. UAQ Problem

The UAQ [27] is a four-tuple <s, Plb, Pub, match>, where sS, Plb, and Pub are the lower and upper bound for the set of requested permissions, respectively; PlbPubP; and match∈{min, max, exact} indicates the optimization objective. It can be formalized as follows:
m a t c h = { m i n .   i f f s ( S \ { s } ) , ( r , r ) R , r r o l e s _ s e s s i o n ( s ) p e r m s _ s e s s i o n ( r ) r r o l e s _ s e s s i o n ( r ) p e r m s _ s e s s i o n ( r ) P l b   m a x .   i f f s ( S \ { s } ) , ( r , r ) R ,   P u b r r o l e s _ s e s s i o n ( s ) p e r m s _ s e s s i o n ( r ) r r o l e s _ s e s s i o n ( s ) p e r m s _ s e s s i o n ( r )   e x a c t . i f f P l b = r r o l e s _ s e s s i o n ( s ) p e r m s _ s e s s i o n ( r ) = P u b .
For the readability, we summarize the main symbols used in the paper in Table 1.

3. Proposed Method

In this section, we propose a novel method, RMO_SODSDA, which includes two aspects: (1) satisfying separation-of-duty constraints, and (2) ensuring authorization security.

3.1. Satisfying Separation-of-Duty Constraints

Separation-of-duty constraints can be effectively enforced by mutually exclusive constraints. In order to satisfy these constraints, we constructed different variants of mutually exclusive roles to implement RSSOD based on any unconstrained role-mining algorithm for basic RMP, including algorithm design and description, computational complexity, and correctness analysis. First, we present the following definitions.
Definition 1.
(static and soft mutually exclusive roles, t-m SMER) Given m roles r1,r2,…,rm, a t-m SMER states that no user is allowed to have t or more of these m roles. It is expressed as smer<{r1,r2,…,rm},t>, where each ri is a role, and m and t are integers, such that 2≤ k≤ n. A t-m SMER can be formalized as follows:
u U : | { r 1 , r 2 , , r m }   R o l e s ( u ) | < t
It has been shown that any t-m SMER can be equivalently represented using a set of t-t SMER [24].
Definition 2.
(static and hard mutually exclusive roles, t-t SMER) Given t roles r1,r2,…,rt, a t-t SMER states that no user is allowed to have these t roles. It is expressed as smer<{r1,r2,…,rt},t>, where each ri is a role, and t is an integer, such that t≥ 2. A t-t SMER can be formalized as follows:
u U : { r 1 , r 2 , , r t } R o l e s ( u )
Definition 3.
(role-mining problem with RSSOD constraints) Given a set of users U, a set of permissions P, a user-permission assignments matrix UPA, and a set of RSSOD constraints E={e1,e2,…}, find a set of roles R, a user-role assignments matrix UA, a role–permission assignments matrix PA, and a set of SMER constraints C, such that the UA and PA are consistent with the UPA, C enforces E, and the number of mining roles |R| is minimized. It can be formalized as follows:
{ min | R | U A P A = U P A C   e n f o r c e s   E

3.1.1. Preprocessing

Any role-mining algorithm that takes no RSSOD constraint into consideration is used for mining minimal roles in Algorithm 1.
Algorithm 1. Preprocessing
Input: original matrix UPA
Output: decomposed matrix UA, PA, candidate set CR of roles
The Fast Miner method and Boolean matrix decomposition are adopted to derive CR and configure RBAC, such that
{ min | C R | U A P A = U P A

3.1.2. Construction of 2–2 SMER Constraints

A 2–2 SMER constraint can be expressed as c=<{ri, rj},2>, which means that ri and rj are mutually exclusive, that is, the two roles cannot be assigned to any user. Although 2–2 SMER constraints are considered to be quite restrictive, they are sufficient to enforce any enforceable RSSOD constraint. RSSOD constraint ei is nonenforceable in one of the following cases: (1) a single role in the PA matrix owns all permissions in ei, and (2) candidate matrix UA already has user assignments violating the constraints.
Algorithm 2. Construction of 2–2 SMER constraints
Input:UA, CR, set E of k-n RSSOD constraints
Output: set C of 2–2 SMER constraints
1. C= ∅;
2. for each ei in E do
3. P(ei) denotes the permissions covered by ei;
4.   ( S = ( r 1 , r 2 , ) ) C R : ( r S : P e r m i s s i o n s ( r )   P ( e i ) )
5.  if r S : P e r m i s s i o n s ( r ) P ( e i ) then
6.   ei is nonenforceable;
7.   continue;
8.  end if
9.  for each pair of roles (ri, rj) in S do
10.  if ( P e r m i s s i o n s ( r i ) P e r m i s s i o n s ( r j ) ) ( P e r m i s s i o n s ( r j ) P e r m i s s i o n s ( r i ) ) then
11.    if UA satisfy smer<{ri, rj},2> then
12.     C={smer<{ri, rj},2>} ∪ C;
13.    else
14.     ei is nonenforceable with 2–2 SMER constraints;
15.    end if
16.   end if
17.  end for
18. end for
In Algorithm 2, the inputs are the above UA, CR, and set E = {e1,e2,…} of k-n RSSOD constraints, and the output is set C = {c1,c2,...} of 2–2 SMER constraints, such that C enforces E. In order to construct 2–2 SMER constraints, it is necessary to find a set of roles S, such that each role in S at least has permissions in ei (line 4). Then, if any role has all the permissions in ei, we declare ei as nonenforceable (lines 5–8); otherwise, we analyze each pair of roles (ri, rj) to determine whether they are valid 2–2 SMER constraints. If ri and rj are mutually exclusive roles, each one contains at least a mutually exclusive permission that must be absent in the other (lines 9–17).
Computational complexity: constructing 2–2 SMER constraints for an RSSOD can be done in polynomial time. If the number of roles in set S for the RSSOD is m, then the time for deciding whether the RSSOD constraint is enforceable or not is O(m), and the time for constructing mutually exclusive roles is O(m2); thus, the total time complexity is (m2). The smaller m gets, the more acceptable the algorithm becomes.

3.1.3. Construction of t-t SMER Constraints

However, many RSSOD constraints might become nonenforceable in some cases because of the restrictive 2–2 SMER constraints. Next, we present an approach for implementing RSSOD with t-t SMER constraints (t > 2), which is less restrictive as compared with only using 2–2 SMER constraints. It is necessary to find a maximum t for the given RSSOD constraints in Algorithm 3.
Algorithm 3. Construction of t-t SMER constraints
Input:UA, CR, set E of k-n RSSOD constraints
Output: set C of t-t SMER constraints
1.  C= ∅;
2.  for each ei in E do
3.   P(ei) denotes the permissions covered by ei;
4.    ( S = ( r 1 , r 2 , ) ) C R : ( r S : P e r m i s s i o n s ( r )   P ( e i ) )
5.   if |S|<k then
6.     ei is nonenforceable;
7.     continue;
8.   else if   r S : P e r m i s s i o n s ( r ) P ( e i ) then
9.     ei is nonenforceable;
10.     continue;
11.   else if ( r i , r j ) S : ( r i , r j ) R H   or   ( r j , r i ) R H then
12.     ei is nonenforceable;
13.     continue;
14.   else
15.    for t=3 to | S | 1 k 1 +1 do
16.     for any set {r1,r2,…rt} in S do
17.      if UA satisfies smer<{r1,r2,…rt},t> then
18.       C={smer<{r1,r2,…rt},t>} ∪ C;
19.      else
20.       ei is nonenforceable with t-t SMER constraints;
21.      end if
22.     end for
23.    end for
24.   end if
25. end for
To construct t-t SMER constraints for an RSSOD ei, like in Algorithm 2, we should find set S at first. Next, we determine whether ei is enforceable or not. In Algorithm 3, line 4 determines set S from CR. Lines 5–6 indicate that if the number of roles in set S is less than k in ei, it cannot be enforced. Lines 8–9 indicate that if any role in set S has all the permissions in ei, it cannot be enforced. Lines 11–12 show that if RH relationships exist in S, ei cannot be enforced. Lines 15–23 determine whether the t-t SMER constraints are satisfied in matrix UA and insert them into set C.
Computational complexity: if the number of roles in S is m, the time for determining whether a constraint is enforceable or not is O(m). Constructing t-t SMER constraints depends on the double loops. The execution number of the first loop is | S | 1 k 1 –2; in the second loop, for the particular t, it is necessary to obtain any t roles from S, and the execution time is O( C m t ). Thus, the total time complexity is O ( m )+ O ( m · C m t )= O( m · C m t ). If m is small, the efficiency of the algorithm is acceptable.

3.1.4. Construction of t-m SMER Constraints

Compared with t-t SMER constraints, although t-m SMER constraints (2 < t < m) are less restrictive, they are more flexible for applications. The differences between t-m SMER and t-t SMER are presented in Algorithm 4.
Algorithm 4. Construction of t-m SMER constraints
Input:UA, CR, set E of k-n RSSOD constraints
Output: set C of t-m SMER constraints
……
1. for t=3 to n 1 k 1 +1 do
2.  m=(k-1)×(t-1)+1;
3.  for any set {r1,r2,…rm} in CR do
4.   if UA satisfy smer<{r1,r2,…rm},t> then
5.    C={smer<{r1,r2,…rm},t>} ∪ C;
6.   else
7.    ei is nonenforceable with t-m SMER constraints;
8.   end if
9.  end for
10. end for
……
Computational complexity: constructing t-m SMER constraints depends on the double loops. The execution number in the first loop is ( n 1 k 1 2 ) ; in the second loop, for the particular m, it is necessary to obtain any m roles from CR. Thus, the execution time of the double loops is O(2n). The efficiency of the algorithm decreases obviously as the number of CR increases.

3.1.5. Correctness Analysis

Statement 1.
Given an m-m RSSOD constraint e1, t-m SMER constraint c1 can precisely enforce e1 if and only if t = 2.
Proof. 
We analyze the statement from the two sides of sufficiency and necessity.
Sufficiency. When constraint c1=smer<{r1,r2,…,rm},2> holds, that is, u U : | R o l e s ( u )   { r 1 , r 2 , r m } | < 2 , this indicates that at least m users are required together to have all roles of set {r1,r2,…,rm}. Any set of (m-1) users should not be able to have all m roles, that is, ( u 1 , u 2 , u m 1 ) U : i = 1 m 1 R o l e s ( u i ) { r 1 , r 2 , r m } . According to RSSOD, c1 can enforce e1.
Necessity. It is proved by contradiction. Assume that there exist (m – 1) users who can cover all the m roles, that is,   ( u 1 , u 2 , u m 1 ) U : i = 1 m 1 R o l e s ( u i ) { r 1 , r 2 , r m } . In other words, there exists some user who has two of the n roles, that is,   u U : | R o l e s ( u )   { r 1 , r 2 , r m } | = 2 , which is contradictory to constraint smer<{r1,r2,…,rm},2>. Thus, the assumption is false. □
Statement 2.
Given a 2–m RSSOD constraint e2, t-m SMER constraint c2 can precisely enforce e2 if and only if t = m.
Proof. 
We also analyze the statement from the two sides of sufficiency and necessity.
Sufficiency. When constraint c2=smer<{r1,r2,…,rm},m> holds, that is, u U : | R o l e s ( u )   { r 1 , r 2 , r m } | < m , this indicates that no user has all roles of the set {r1,r2,…,rm}. In other words, at least two users are required together to have all the m roles. According to RSSOD, c2 can enforce e2.
Necessity. It is proved by contradiction. Assume that there exists some user who has all the m roles, that is,   u U : | R o l e s ( u )   { r 1 , r 2 , r m } | = m , which is contradictory to the constraint smer<{r1,r2,…,rm},m>. Thus, the assumption is false. □
Theorem 1.
Given a k-n RSSOD constraint (k > 2) and a candidate role set CR, where k≤ n≤ |CR|, t-m SMER constraints constructed by our algorithms can precisely enforce k-n RSSOD if t ( n 1 k 1 + 1 ) .
Proof. 
According to Definition 1, any user has (t – 1) roles at most, and any (k – 1) users have (k – 1) ×(t – 1) roles at most. It is also proved by contradiction. Without loss of generality, t= ( n 1 k 1 + 1 + 1 ) , we assume that the RSSOD constraint holds, that is, the number of roles assigned to (k – 1) users is ( k 1 ) × ( n 1 k 1 + 2 1 ) n 1 + k 1 = n + k 2 > n , which breaches the k-n RSSOD. Thus, the assumption is false and the theorem is proved. □
Example 1.
Constructing t-m SMER constraints based on our method can enforce rssod<{r1,r2,r3,r4,r5},k> with different k in Table 2, where 2≤ k≤ 5.

3.2. Ensuring Authorization Security

In order to ensure the security of authorizations, we converted the authorization-query problem into partial MAX-SAT as follows: (1) authorization logics and constraints are transformed into hard clauses; (2) the updating algorithm is adopted to transform the requested permissions with different matches into soft clauses; and (3) recursive and encoding algorithms are utilized to satisfy all hard clauses and as many soft clauses as possible. First, we present the definition with respect to the partial MAX-SAT.
Definition 4.
(Boolean logical descriptions of partial MAX-SAT):
(1)
Basic elements: some elements are presented using Boolean variables x1,x2,…,xi,…, xi, or ¬xi(the negation of xi), which is called a literal logic; the instance formalized as x1∨x2∨…∨xn using n literals xi is called a clause; and sentence c1∧c2∧…∧cm using m clauses ci is called the conjunctive normal form, which is expressed as cnf(c1,c2,…,cm);
(2)
Hard clause: c1, c2,…, cm are hard clauses and satisfiable, if and only if there exist truth assignments such that the value of cnf(c1,c2,…,cm) is 1. All hard clauses are set as HC;
(3)
Soft clause: the sentences that do not satisfy hard clauses are soft clauses. All soft clauses are set as SC.
To transform the authorization-query request into the partial MAX-SAT, we represent permission p and role r with literal p - and r - respectively, and we describe them and their logical negations as follows:
(1)
p - : p P , r R , s S , p r r o l e s _ s e s s i o n ( s ) p e r m s _ s e s s i o n ( r ) ;
(2)
¬ p - :   p P , r R , s S , p r r o l e s _ s e s s i o n ( s ) p e r m s _ s e s s i o n ( r ) ;
(3)
r - :   r R , s S , r r o l e s _ s e s s i o n ( s ) ;
(4)
¬ r - :   r R , s S , r r o l e s _ s e s s i o n ( s ) .

3.2.1. Preprocessing

To transform static-authorization logics and dynamic mutual role constraints into hard clauses, we describe the transforming rules as follows:
(1)
  p P , ( r , r ) R : ( ( r , r ) R H ) ( ( r , p ) P A )
¬ r - p - ;
(2)
  p P , ( r , r 1 , r 2 , ) R : ( ( r , p ) P A ) ( ( r 1 , r ) R H ) ( ( r 2 , r ) R H )
¬ p - r - 1 r - 2 ;
(3)
  r R , r R , ( p 1 , p 2 , ) P : ( ( r , r ) R H ) ( ( r , p 1 ) P A ) ( ( r , p 2 ) P A )
r - 1 ¬ p - 1 ¬ p - 2 ;
(4)
r R , s S : ( u s e r _ s e s s i o n ( s ) , r ) U A
¬ r - ;
(5)
r { r 1 , r 2 , , r m } R ,   s S , t 2 : ( d m e r { r 1 , r 2 , , r m } , t C )
  ( | { r 1 , r 2 , , r m }   roles session ( s ) | < t )   r - .

3.2.2. Updating Clauses

To reflect the least-privileges principle, we say that permissions in Plb must be satisfied and available in a single session, which can be formalized as follows:
p P , s S , r R , : p P l b p r r o l e s _ s e s s i o n ( s ) p e r m s _ s e s s i o n ( r ) .
Similarly, permissions not in Pub must not be satisfied or available in a single session, which can be formalized as follows:
p P , s S , r R , : p ( P \ P u b ) p r r o l e s _ s e s s i o n ( s ) p e r m s _ s e s s i o n ( r ) .
Different cases can be easily transformed into the partial MAX-SAT. Essentially, the partial MAX-SAT problem is a special extension of the MAX-SAT problem, whereby some clauses are relaxable and others are hard clauses. It aims to satisfy all hard clauses as well as a maximum number of soft ones. To translate the authorization-query problem to a partial MAX-SAT instance, all permissions in Plb should be inserted into HC, and all permissions in (Pub\Plb) should be inserted into SC. Next, to satisfy the max match, any permission in (Pub\Plb) is initially set to be true, as only permission variables can be used in the permissions request and the partial MAX-SAT is to satisfy the largest number of soft clauses; to satisfy the min match, on the other hand, any permission in (Pub\Plb) is initially set to be false. Thus, hard and soft clauses are updated in Algorithm 5.
Algorithm 5. Updating clauses.
Input: the UAQ <s, Plb, Pub, match>, preprocessed results HC, SC
Output: updated results HC, SC
1. for each p in Plb do
2.   HC=HC ∪ { p - };
3. end for
4. for each p in P\Pub do
5.   HC=HC ∪ {¬ p - };
6. end for
7. for each p in Pub\Plb do
8.   if match = min then
9.    SC=SC ∪ {¬ p - };
10.   else if match = max then
11.    SC=SC ∪ { p - };
12.   else
13.    SC=SC ∪ Φ;
14.   end if
15. end for
In Algorithm 5, the two cases are reflected in lines 1–6. If permission p is in Plb, we represent p with literal p - and insert it into HC. If permission p is not in Pub, we insert literal ¬ p - into HC. If the requested permissions are not in Plb, but in Pub, lines 7–15 transform them into soft clauses according to the different matches. We insert literal ¬ p - or p - into SC when the match objective equals to min or max, and we do not update SC when the match objective equals to exact.

3.2.3. Assigning Truth for Clauses

To satisfy all hard clauses in HC, it is necessary to search for truth assignments and make sure all clauses are true. The recursive process is described in Algorithm 6.
Algorithm 6. Assigning truth for hard clauses.
Input:len(c)
Output: true or false
1. Randomly choose clause c from HC and use len(c) as the length of c;
2. if len(c) = 1 then
3.  c=1;
4.  HC=HC\{c};
5. for each clause, including c’∨c in HC, do
6.  HC=HC\{c’∨c};
7. end for
8. for each clause, including c’’∨¬c in HC, do
9.  HC=(HC\{c’’∨¬c})∪{c’’};
10. end for
11. return true;
12. else
13.  Assigning truth for hard clauses (len (c)-1);
14. return false;
15. end if
In Algorithm 6, lines 2–11 indicate that if chosen clause c consists of only one literal logic, we simplify HC according to the two different cases in each iteration: when a clause including c’∨c exists, we remove it from HC; when a clause including c’’∨¬c exists, we remove it from HC and insert c’’ into HC. Next, if len(c)>1, line 13 recursively calls Algorithm 6.
Theorem 2.
For each given clause c, there is a truth assignment for c using Algorithm 6.
Proof. 
On the basis of Section 3.2.1 and Section 3.2.2, we can search for the truth assignment from line 2 of the algorithm using the method of mathematical induction, and detailed descriptions are omitted owing to limited space. □

3.2.4. Encoding and Querying Clauses

To satisfy as many clauses as possible, soft clauses are encoded and queried in the following steps:
Step 1. For given set of soft clauses SC = {sc1,sc2,…,scn}, introduce n new blocking variables bi(1 ≤ in);
Step 2. Construct new clause set SCb = {sc1b1,sc2b2,…,scnbn}, where clause scibi is considered as bi copies of sci;
Step 3. Search for minimal integer k, such that SCb is true and i = 1 n b i k ;
Step 4. Consider HCSCb as parameters, take them into the QMaxSAT [39], and output all true clauses from SC.
Example 2.
Given set P of permissions, set R of roles, role–hierarchy relationships RH, role–permission assignment relationships PA, and set C of constraints, where P = {p0,p1,p2,p3,p4,p5,p6,p7}, R = {r0,r1,r2}, RH = {r0≥r2}, PA = {(r0,p0),(r0,p1),(r0,p2),(r0,p4),(r0,p5),(r0,p6),(r1,p3),(r1,p7),(r2,p2),(r2,p6)}, and C = {dmer<{r0,r1},2,s>}. In the preprocessing stage, hard clauses are constructed by the transforming rules, and results are listed in Table 3.
Suppose there are three authorization requests: (1) Plb = Φ, Pub = {p2,p3,p6}, match = max; (2) Plb = {p2,p3,p6}, Pub = P, match = min; (3) Plb = {p2,p3,p6}, Pub={p2,p3,p6}, match=exact. Then, HC and SC are, respectively, updated in Algorithms 5 and 6; the results are listed in Table 4, and different sets of activated roles are listed in Table 5.

4. Experiment Evaluations

In this section, two groups of experiments were carried out. The first group of experiments was to evaluate the effectiveness of RMO_SODSDA, and the second was to evaluate its efficiency. All experiments were implemented on a standard desktop PC with an Intel i5–7400 CPU, 4 GB RAM, and 160 GB hard disks, running a 64-bit Windows 7 operating system. All simulations were compiled and executed in Eclipse IDE for a Java Developers environment.

4.1. RMO_SODSDA Effectiveness

4.1.1. Datasets and Experiment Setup

Datasets: we considered nine real-world datasets from the work of [14]. Meanwhile, in the unconstrained preprocessing stage, regular mining tool RMiner [39] was used for mining roles. The results including the number of roles and execution time are shown in Table 6.
Experiment setup: constraints were constructed synthetically. According to the length of constraint enforcement, we studied four different kinds of k-n RSSOD: 2–2 RSSOD, 2–3 RSSOD, 3–5 RSSOD, and 5–10 RSSOD, where n permissions were randomly chosen from the set of all permissions. According to the amount of constraint enforcement, we chose 30 and 50 as the number of each kind of k-n RSSOD, respectively.
However, after analyzing these datasets, we found that the Domino, Firewall1, Firewall2, and Healthcare datasets could not be used to represent the performance of role-mining algorithms with RSSOD constraints. Some user sets in these datasets violate the constraints, and they have all permissions assigned to them. Thus, valid RSSOD constraints cannot be generated from them.

4.1.2. Evaluation Measures

We considered the average number of constructing SMER constraints, execution time, and percentage of RSSOD constraints that can be successfully enforced as evaluation measures.

4.1.3. Experiment Results

To evaluate the effectiveness of RMO_SODSDA, we considered preprocessing results UA, CR, and the k-n RSSOD constraints as inputs, and repeatedly implemented the experiments 20 times. The experiment results are shown in Table 7, Table 8, Table 9 and Table 10, where Ek-n RSSOD represents the set of RSSOD constraints, and Ct-m SMER represents the set of SMER constraints.
Firstly, by analyzing the results in Table 7, Table 8, Table 9 and Table 10, it was observed that there was a certain number of RSSOD constraints that could not be enforced when we constructed 2–2 SMER, t-t SMER, or t-m SMER constraints. The less that efficient RSSOD constraints were enforced (in other words, the less the percentage in the bracket), the fewer the constructing SMER constraints.
Second, Table 7, Table 8, Table 9 and Table 10 show that the process of constructing 2–2 SMER constraints is more difficult than the other two processes, because the 2–2 SMER was more restricted than the others. We take the Customer dataset as an example. In Table 9, percentages of successfully constructing 2–2 SMER constraints are 17% with 30 RSSOD and 14% with 50 RSSOD, while percentages of constructing the other two are both 100%. In Table 10, percentages of successfully constructing 2–2 SMER constraints are only 5% and 2%.
A further observation is that the number of constructing SMER constraints tended to increase as the number of RSSOD constraints increased in the five datasets. We take the Americas-large dataset as an example. In Table 7, when the number of RSSOD changed from 30 to 50, the number of constructing SMER increased from 984 to 2461 and 2568, respectively.
Finally, it can be observed from Table 7, Table 8, Table 9 and Table 10 that the number of constructing SMER increased as the length of RSSOD constraints increased. We take the Americas-large dataset as an example. If the number of RSSOD constraints equaled to 30, then the number of constructing SMER remarkably increased from 984 to 24,908. If the number of RSSOD constraints equaled to 50, then the number of constructing SMER changed remarkably from 2461 to 62,058.
Next, the average time for constructing SMER constraints from different kinds of RSSOD constraints is shown in Table 11, Table 12, Table 13 and Table 14, from which it is observed that execution time increased as the number and length of RSSOD constraints increased. Taking the Americas-large dataset as an example, the number of RSSOD changed from 30 to 50, and the length of RSSOD changed from 2 to 10. The time for constructing 2–2 SMER constraints was 139, 366, 505, 1203, 2022, 5762, 6164, and 14,667 s, respectively. Similar to analyses for the number of constructing constraints, detailed discussions of execution time were omitted in this paper owing to limited space.

4.2. RMO_SODSDA Efficiency

4.2.1. Datasets and Experiment Setup

Datasets: according to Table 6, the number of the chosen roles in the second group of experiments increased from 40 to 300 with a step of 20. In addition, the QMaxSAT solver was chosen because it performed quite well in the latest MAX-SAT evaluation and because of its efficiency on sets of encoding clauses. Clauses updated based on truth assignments were written in Java.
Experiment setup: for the given UAQ < s, Plb, Pub, match>, s is a session in S, Pu represents permissions assigned to user u in our constructed RBAC system, and PrequestPu. This can be obtained using Sat4j 2.3.4 (April 2013), an open-source satisfiability library in Java [40]. We considered three scenarios, as follows: (1) Plb = Prequest, Pub = Pu, match = min; (2) Plb = Φ, Pub = Prequest, match = max; and (3) Plb = Pub = Prequest, match = exact.

4.2.2. Evaluation Measures

To evaluate authorization performance of the RMO_SODSDA, we implemented the experiments and compared query time as the number of roles increased according to the three scenarios.

4.2.3. Experiment Results

We randomly selected 10 pairs of values of Plb and Pub for the experiments and took the median value. The results of our experiments are shown in Figure 1 with error bars, where the lateral axis represents varying values of the number of roles, and the vertical axis represents changes of query time including truth assignments for HC, encoding for SC, and execution time by using the QMaxSAT solver.
Figure 1 demonstrates that query time increased slightly as the number of roles increased in the exact and max cases. Particularly, the time was less than 10 milliseconds with up to 300 roles. In the min case, query time irregularly floated up and down with the increasing number of roles. While time taken for different match requests remained the same in the preprocessing and clause-updating stages, the time taken using the QMaxSAT solver was longer in the min case than in the other two cases. However, total query time was still below one second in any case.
In order to further validate the efficiency of the RMO_SODSDA, we considered a similar set of experiments as the ones performed in the work of [37]. More precisely, our experiments were set as follows: 30 ≤ |R|< 300, |U| = 20, |P| = 70, |C| = 5. Similar to the experiments in the previous UAQ setting section, we took the median value over 10 randomly selected pairs of values of Plb and Pub for the experiments. We compared the performance of our method with the results based on the MAX-SAT solver in Figure 2, Figure 3 and Figure 4 with error bars, where the lateral axis represents varying values of the number of roles, and the vertical axis represents changes of query time.
It can be observed from Figure 2 and Figure 3 that the query time of our method did not obviously vary. It was less than 20 milliseconds with up to 290 roles. In contrast, the query time in the work of [37] tended to grow linearly up to around 160 milliseconds. The total query time of our method was lower because all hard and soft clauses were completely encoded in the preprocessing stage, while in the work of [37], all clauses were encoded in the querying stage. Therefore, our method outperformed the MAX-SAT solver in the exact and max cases.
It can be observed from Figure 4 that the query time of our method did not obviously vary when |R| changed from 30 to 190. However, the query time irregularly floated up and down when |R| changed from 210 to 290, up to around 240 milliseconds in this paper and around 400 milliseconds in the work of [38]. Therefore, our method did not outperform the MAX-SAT solver in the min case.

5. Discussion

From the above analyses of the effectiveness and efficiency of RMO_SODSDA, we found the following:
(1) In the Americas-large, Apj, and Emea datasets, percentage of RSSOD constraints that can be successfully enforced exceeded 70%. However, when the length of RSSOD constraints increased to 3–5 RSSOD and 5–10 RSSOD, the percentage in the Americas-small and Customer datasets was below 50% and 17%, respectively. Thus, the Americas-large, Apj, and Emea datasets were more appropriate for the effectiveness evaluations of RMO_SODSDA.
(2) We compared the execution time of RMO_SODSDA from Table 11, Table 12, Table 13 and Table 14 with that of the unconstrained role mining from Table 6 in Table 15. Obviously, the time of our method was much higher than that of any unconstrained role mining method. We constructed lots of different variants of SMER constraints to correctly implement the given RSSOD constraints, although it was time-consuming.
(3) For the given cases of permissions request in this paper, the query time of RMO_SODSDA was below one second in any case. However, the method did not outperform the MAX-SAT solver in the min case.
(4) We considered a similar set of experiments as the ones from the MAX-SAT solver to evaluate the efficiency of RMO_SODSDA, and we found that the query time does not obviously vary in the exact and max cases when the number of roles exceeds 300. Thus, we did not consider and analyze further the similar results in these cases.
(5) Similar to the number of roles chosen from the MAX-SAT solver, we chose the similar set of constraints as another parameter for our method, and only the RSSOD constraint was taken into consideration. Particularly, it was observed from Table 6 that the number of mining roles from the Americas-small and Customer datasets was close to 230 and 270, respectively. However, according to the first discussion in this section, the percentages of RSSOD constraints that can be successfully enforced were very low. As the results in Figure 4, the query time irregularly floated up and down once the two datasets were chosen for the performance evaluations.

6. Conclusions

A novel method, RMO-SODSDA, was proposed in this paper. We first presented constrained role-engineering optimization with separation-of-duty constraints, and constructed several SMER variants to correctly implement the RSSOD, including algorithm design and description, and the computational complexity for constructing the different SMER constraints. Then, in order to evaluate the security of the constructed RBAC system for a given authorization-query problem, an efficient approach for ensuring system security was presented that converts the authorization-query problem into a maximal-satisfiability problem. Lastly, experiment results demonstrated the effectiveness and efficiency of the RMO_SODSDA. There are still a few interesting issues to be handled. One issue is to study the relationships between different cardinality constraints and consider how to implement multiple constraints for role-mining optimization in future work.

Author Contributions

Conceptualization, W.S. and S.W.; methodology, W.S. and H.L.; validation, W.S., S.W., and H.L.; formal analysis, W.S.; data curation, S.W.; writing—original draft preparation, W.S.

Funding

This work was partially supported by the Natural Science Foundation of China (61501393), the Natural Science Foundation of Henan Province of China (182300410145, 182102210132), and the Key Scientific Research Project of Henan Province University (20B520031).

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Xuan, H.; Wei, S.; Tong, W.; Liu, D.; Qi, C. Fault-tolerant scheduling algorithm with re-allocation for divisible task. IEEE Access 2018, 6, 73147–73157. [Google Scholar] [CrossRef]
  2. Batra, G.; Atluri, V.; Vaidya, J.; Sural, S. Deploying ABAC policies using RBAC systems. J. Comput. Secur. 2019, 27, 483–506. [Google Scholar] [CrossRef]
  3. Ghafoorian, M.; Abbasinezhad-Mood, D.; Shakeri, H. A Thorough Trust and Reputation Based RBAC Model for Secure Data Storage in the Cloud. IEEE Trans. Parallel Distrib. Syst. 2019, 30, 778–788. [Google Scholar] [CrossRef]
  4. Cruz, J.P.; Kaji, Y.; Yanai, N. Rbac-sc: Role-based access control using smart contract. IEEE Access 2018, 6, 12240–12251. [Google Scholar] [CrossRef]
  5. Pan, N.; Sun, L.; He, L.; Zhu, Z. An Approach for Hierarchical RBAC Reconfiguration with Minimal Perturbation. IEEE Access 2018, 6, 40389–40399. [Google Scholar] [CrossRef]
  6. Pan, N.; Zhu, Z.; He, L.; Sun, L. An efficiency approach for RBAC reconfiguration with minimal roles and perturbation. Concurr. Comput. Pract. Exp. 2018, 30, e4399. [Google Scholar] [CrossRef]
  7. Mitra, B.; Sural, S.; Vaidya, J.; Atluri, V. Migrating from RBAC to temporal RBAC. IET Inf. Secur. 2017, 11, 294–300. [Google Scholar] [CrossRef]
  8. Schefer-Wenzl, S.; Strembeck, M. Modeling Support for Role-Based Delegation in Process-Aware Information Systems. Bus. Inf. Syst. Eng. 2014, 6, 215–237. [Google Scholar] [CrossRef]
  9. Baumgrass, A.; Strembeck, M. Bridging the gap between role mining and role engineering via migration guides. Inf. Sec. Techn. Rep. 2013, 17, 148–172. [Google Scholar] [CrossRef]
  10. Narouei, M.; Takabi, H. Towards an Automatic Top-down Role Engineering Approach Using Natural Language Processing Techniques. In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, Vienna, Austria, 1–3 June 2015; pp. 157–160. [Google Scholar]
  11. Gal-Oz, N.; Gonen, Y.; Gudes, E. Mining meaningful and rare roles from web application usage patterns. Comput. Secur. 2019, 82, 296–313. [Google Scholar] [CrossRef]
  12. Bai, W.; Pan, Z.; Guo, S.; Chen, Z. RMMDI: A Novel Framework for Role Mining Based on the Multi-Domain Information. Secur. Commun. Netw. 2019, 2019, 8085303. [Google Scholar] [CrossRef]
  13. Stoller, S.D.; Bui, T. Mining hierarchical temporal roles with multiple metrics. J. Comput. Secur. 2018, 26, 121–142. [Google Scholar] [CrossRef]
  14. Mitra, B.; Sural, S.; Vaidya, J.; Atluri, V. A Survey of Role Mining. ACM Comput. Surv. 2016, 48, 1–37. [Google Scholar] [CrossRef]
  15. Mitra, B.; Sural, S.; Vaidya, J.; Atluri, V. Mining temporal roles using many-valued concepts. Comput. Secur. 2016, 60, 79–94. [Google Scholar] [CrossRef]
  16. Ye, W.; Li, R.; Gu, X.; Li, Y.; Wen, K. Role mining using answer set programming. Future Gener. Comp. Syst. 2016, 55, 336–343. [Google Scholar] [CrossRef]
  17. Vaidya, J.; Atluri, V.; Guo, Q. The role mining problem: Finding a minimal descriptive set of roles. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, Sophia Antipolis, France, 20–22 June 2007; pp. 175–184. [Google Scholar]
  18. Lu, H.; Vaidya, J.; Atluri, V. Optimal boolean matrix decomposition: Application to role engineering. In Proceedings of the 24th International Conference on Data Engineering, Cancún, Mexico, 7–12 April 2008; pp. 297–306. [Google Scholar]
  19. Lu, H.; Vaidya, J.; Atluri, V. An optimization framework for role mining. J. Comput. Secur. 2014, 22, 1–31. [Google Scholar] [CrossRef]
  20. Lu, H.; Hong, Y.; Yang, Y.; Duan, L.; Badar, N. Towards user-oriented RBAC model. J. Comput. Secur. 2015, 23, 107–129. [Google Scholar] [CrossRef]
  21. Lang, B.; Wang, J.; Liu, Y. Achieving flexible and self-contained data protection in cloud computing. IEEE Access 2017, 5, 1510–1523. [Google Scholar] [CrossRef]
  22. Ultra, J.D.; Pancho-Festin, S. A simple model of separation of duty for access control models. Comput. Secur. 2017, 68, 69–80. [Google Scholar] [CrossRef]
  23. Nazerian, F.; Motameni, H.; Nematzadeh, H. Emergency role-based access control (E-RBAC) and analysis of model specifications with alloy. J. Inf. Sec. Appl. 2019, 45, 131–142. [Google Scholar] [CrossRef]
  24. Li, N.; Tripunitara, M.V.; Bizri, Z. On mutually exclusive roles and separation-of-duty. ACM Trans. Inf. Syst. Secur. 2007, 10, 1–36. [Google Scholar] [CrossRef]
  25. Huang, H.; Shang, F.; Liu, J.; Du, H. Handling least privilege problem and role mining in RBAC. J. Comb. Optim. 2015, 30, 63–86. [Google Scholar] [CrossRef]
  26. Ma, X.; Li, R.; Lu, Z.; Lu, J.; Dong, M. Specifying and enforcing the principle of least privilege in role-based access control. Concurr. Comput. Pract. Exp. 2011, 23, 1313–1331. [Google Scholar] [CrossRef]
  27. Zhang, Y.; Joshi, J.B.D. Uaq: A framework for user authorization query processing in rbac extended with hybrid hierarchy and constraints. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, Estes Park, CO, USA, 11–13 June 2008; pp. 83–92. [Google Scholar]
  28. Lu, J.; Xin, Y.; Zhang, Z.; Peng, H.; Han, J. Supporting user authorization queries in RBAC systems by role-permission reassignment. Future Gener. Comp. Syst. 2018, 88, 707–717. [Google Scholar] [CrossRef]
  29. Fu, Z.; Malik, S. On Solving the Partial MAX-SAT Problem. In Proceedings of the 9th International Conference on Theory and Applications of Satisfiability Testing, Seattle, WA, USA, 12–15 August 2006; pp. 252–265. [Google Scholar]
  30. Molloy, I.; Chen, H.; Li, T.; Wang, Q.; Li, N.; Bertino, E.; Calo, S.B.; Lobo, J. Mining roles with semantic meanings. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, Estes Park, CO, USA, 11–13 June 2008; pp. 21–30. [Google Scholar]
  31. Zhang, D.; Ramamohanarao, K.; Ebringer, T. Role engineering using graph optimisation. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, Sophia Antipolis, France, 20–22 June 2007; pp. 139–144. [Google Scholar]
  32. Ene, A.; Horne, W.G.; Milosavljevic, N.; Rao, P.; Schreiber, R.; Tarjan, R.E. Fast exact and heuristic methods for role minimization problems. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, Estes Park, CO, USA, 11–13 June 2008; pp. 1–10. [Google Scholar]
  33. Kumar, R.; Sural, S.; Gupta, A. Mining RBAC Roles under Cardinality Constraint. In Proceedings of the 6th International Conference on Information Systems Security, Gandhinagar, India, 17–19 December 2010; pp. 171–185. [Google Scholar]
  34. Hingankar, M.; Sural, S. Towards role mining with restricted user-role assignment. In Proceedings of the 2nd International Conference on Wireless Communication, Vehicular Technology, Information Theory and Aerospace and Electronic Systems Technology, Chennai, India, 28 February–3 March 2011. [Google Scholar]
  35. John, J.C.; Sural, S.; Atluri, V.; Vaidya, J. Role Mining under Role-Usage Cardinality Constraint. In Proceedings of the 27th IFIP TC 11 Information Security and Privacy Conference on Information Security and Privacy Research, Heraklion, Greece, 4–6 June 2012; pp. 150–161. [Google Scholar]
  36. Harika, P.; Nagajyothi, M.; John, J.C.; Sural, S.; Vaidya, J.; Atluri, V. Meeting Cardinality Constraints in Role Mining. IEEE Trans. Depend. Sec. Comput. 2015, 12, 71–84. [Google Scholar] [CrossRef]
  37. Wickramaarachchi, G.T.; Qardaji, W.H.; Li, N. An efficient framework for user authorization queries in RBAC systems. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, Stresa, Italy, 3–5 June 2009; pp. 23–32. [Google Scholar]
  38. Koshimura, M.; Zhang, T.; Fujita, H.; Hasegawa, R. QMaxSAT: A partial Max-SAT solver. J. Satisf. Boolean Model. Comput. 2012, 8, 95–100. [Google Scholar]
  39. Li, R.; Li, H.; Wei, W.; Ma, X.; Gu, X. RMiner: A tool set for role mining. In Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, Amsterdam, The Netherlands, 12–14 June 2013; pp. 193–196. [Google Scholar]
  40. Le Berre, D. Sat4j: A Satisfiability Library for Java. 2013. Available online: http://www.sat4j.org (accessed on 10 August 2019).
Figure 1. Comparison of the different scenarios.
Figure 1. Comparison of the different scenarios.
Futureinternet 11 00201 g001
Figure 2. Query comparison when match = exact. MAX-SAT, maximal satisfiability.
Figure 2. Query comparison when match = exact. MAX-SAT, maximal satisfiability.
Futureinternet 11 00201 g002
Figure 3. Query comparison when match = max.
Figure 3. Query comparison when match = max.
Futureinternet 11 00201 g003
Figure 4. Query comparison when match = min.
Figure 4. Query comparison when match = min.
Futureinternet 11 00201 g004
Table 1. Main symbols and their meanings.
Table 1. Main symbols and their meanings.
SymbolMeaning
< s, Plb, Pub, match>The four tuple of permissions request
SSODRole-static separation-of-duty constraint
SMERStatic mutually exclusive roles
rssod<{r1,r2,…,rn},k>The k-n SSOD constraint
smer<{r1,r2,…,rm},t>The t-m SMER constraint
smer<{r1,r2,…,rt},t>The t-t SMER constraint
EThe set of SSOD constraints
CThe set of SMER constraints
p - , ¬ p - The literal and its negation with respect to permission p
r - , ¬ r - The literal and its negation with respect to role r
Table 2. Static and soft mutually exclusive roles (t-m SMERs) enforce k-n role-static separation-of-duty constraint (RSSOD).
Table 2. Static and soft mutually exclusive roles (t-m SMERs) enforce k-n role-static separation-of-duty constraint (RSSOD).
RSSODSMERs
e1=rssod<{r1,r2,r3,r4,r5},2>C1={smer<{r1,r2,r3,r4,r5},5>}
e2=rssod<{r1,r2,r3,r4,r5},3>C2={smer<{r1,r2,r3},2>,smer<{r1,r2,r4},2>,smer<{r1,r2,r5},2>,
smer<{r1,r3,r4},2>,smer<{r1,r3,r5},2>,smer<{r1,r4,r5},2>,
smer<{r2,r3,r4},2>,smer<{r2,r3,r5},2>,smer<{r2,r4,r5},2>,
smer<{r3,r4,r5},2>,smer<{r1,r2,r3,r4,r5},3>}
e3=rssod<{r1,r2,r3,r4,r5},4>C3={smer<{r1,r2,r3,r4},2>,smer<{r1,r2,r3,r5},2>,smer<{r1,r2,r4,r5},2>,
smer<{r1,r3,r4,r5},2>,smer<{r2,r3,r4,r5},2>}
e4=rssod<{r1,r2,r3,r4,r5},5>C4={smer<{r1,r2,r3,r4,r5},2>}
Table 3. Hard clauses.
Table 3. Hard clauses.
Authorization Logics and ConstraintsHC
p P , ( r , r ) R :
( ( r , r ) RH ) ( ( p , r ) PA )
¬ r - 0 p - 0 , ¬ r - 0 p - 1 , ¬ r - 0 p - 2 , ¬ r - 0 p - 4 ,
¬ r - 0 p - 5 , ¬ r - 0 p - 6 , ¬ r - 1 p - 3 , ¬ r - 1 p - 7 ,
¬ r - 2 p - 2 , ¬ r - 2 p - 6
p P , ( r , r 1 , r 2 , ) R :
( ( p , r ) PA ) ( ( r 1 , r ) RH ) ( ( r 2 , r ) RH )
¬ p - 0 r - 0 , ¬ p - 1 r - 0 , ¬ p - 2 r - 0 r - 2 , ¬ p - 3 r - 1 ,
¬ p - 4 r - 0 , ¬ p - 5 r - 0 , ¬ p - 6 r - 0 r - 2 , ¬ p - 7 r - 1
r R , r R , ( p 1 , p 2 , ) P :
( ( r , r ) RH ) ( ( p 1 , r ) PA ) ( ( p 2 , r ) PA )
r - 0 ¬ p - 0 ¬ p - 1 ¬ p - 2 ¬ p - 4 ¬ p - 5 ¬ p - 6 ,
r - 1 ¬ p - 3 ¬ p - 7 , r - 2 ¬ p - 2 ¬ p - 6
s S ,   { r 1 , r 2 , } R :
dmer { r 1 , r 2 , } , 2 , s C
¬ r - 0 ¬ r - 1
Table 4. Updated clauses.
Table 4. Updated clauses.
Permissions RequestHCSC
<s,Φ,{p2,p3,p6},max >HC ∪ {¬ p - 0 p - 1 p - 4 p - 5 p - 7}{ p - 2, p - 3, p - 6}
<s,{p2,p3,p6},P,min >HC ∪ { p - 2, p - 3, p - 6} p - 0 p - 1 p - 4 p - 5 p - 7}
<s,{p2,p3,p6},{p2,p3,p6},exact >HC ∪ { p - 2, p - 3, p - 6,¬ p - 0 p - 1 p - 4 p - 5 p - 7}Φ
Table 5. Activated roles.
Table 5. Activated roles.
Permissions RequestLiteral RolesRole Set
<s,Φ,{p2,p3,p6},max>¬ r 0 - , ¬ r 1 - , r 2 - {r2}
<s,{p2,p3,p6},P,min>¬ r 0 - , r 1 - , r 2 - {r1,r2}
<s,{p2,p3,p6},{p2,p3,p6},exact>¬ r 0 - , ¬ r 1 - , ¬ r 2 - Φ
Table 6. Datasets.
Table 6. Datasets.
Dataset|U||P||CR|Execution Time (s)
Americas-large34851012742378.78
Americas-small347715872136.31
Apj204411644565.60
Customer109612842764.66
Domino79231200.01
Emea353046340.02
Firewall1365709690.11
Firewall2325590100.15
Healthcare4646150.01
Table 7. Results of SMER constructed from 2–2 RSSOD.
Table 7. Results of SMER constructed from 2–2 RSSOD.
Dataset|E22 RSSOD|= 30|E2–2 RSSOD|= 50
C2–2 SMERCt-t SMERCt-m SMERC2–2 SMERCt-t SMERCt-m SMER
Americas-large984(95%)984(95%)982(96%)2461(92%)2568(92%)2574(93%)
Americas-small441(80%)439(80%)436(80%)1279(84%)1272(84%)1285(84%)
Apj40(80%)39(80%)37(80%)124(84%)124(84%)124(84%)
Customer19(95%)15(80%)11(80%)48(96%)36(78%)33(76%)
Emea57(80%)54(80%)51(80%)142(84%)138(84%)135(83%)
Table 8. Results of SMER constructed from 2–3 RSSOD.
Table 8. Results of SMER constructed from 2–3 RSSOD.
Dataset|E2-3 RSSOD|= 30|E2-3 RSSOD|= 50
C2–2 SMERCt-t SMERCt-m SMERC2–2 SMERCt-t SMERCt-m SMER
Americas-large3307(100%)3306(100%)3304(100%)7697(98%)7694(98%)7692(98%)
Americas-small995(80%)993(80%)991(80%)3365(85%)3360(85%)3358(85%)
Apj146(100%)128(100%)119(100%)345(100%)297(100%)277(100%)
Customer32(60%)19(100%)17(100%)81(58%)49(98%)39(95%)
Emea172(95%)163(95%)155(95%)425(98%)404(98%)387(97%)
Table 9. Results of SMER constructed from 3–5 RSSOD.
Table 9. Results of SMER constructed from 3–5 RSSOD.
Dataset|E3–5 RSSOD|= 30|E3–5 RSSOD|= 50
C2–2 SMERCt-t SMERCt-m SMERC2–2 SMERCt-t SMERCt-m SMER
Americas-large11,335(91%)11,335(91%)11,335(91%)31,155(88%)31,155(88%)31,147(88%)
Americas-small2120(50%)2120(50%)2120(50%)5081(48%)5081(48%)5078(48%)
Apj553(95%)574(95%)571(95%)1498(93%)1556(93%)1534(93%)
Customer46(17%)372(100%)369(100%)97(14%)929(100%)930(100%)
Emea696(100%)698(100%)697(100%)1819(100%)1831(100%)1829(100%)
Table 10. Results of SMER constructed from 5–10 RSSOD.
Table 10. Results of SMER constructed from 5–10 RSSOD.
Dataset|E5–10 RSSOD|= 30|E5–10 RSSOD|= 50
C2–2 SMERCt-t SMERCt-m SMERC2–2 SMERCt-t SMERCt-m SMER
Americas-large24,908(70%)24,908(70%)24,901(85%)62,058(71%)62,058(71%)62,058(71%)
Americas-small1307(15%)1307(15%)1307(15%)3831(16%)3831(16%)3831(16%)
Apj1459(85%)1614(85%)1603(85%)3926(90%)4258(90%)4214(88%)
Customer7(5%)2180(100%)2177(100%)25(2%)5461(98%)5455(98%)
Emea1591(100%)1594(100%)1594(100%)4168(100%)4178(100%)4172(100%)
Table 11. Execution time with 2–2 RSSOD.
Table 11. Execution time with 2–2 RSSOD.
Dataset|E2–2 RSSOD|= 30|E2–2 RSSOD|= 50
C2–2 SMERCt-t SMERCt-m SMERC2–2 SMERCt-t SMERCt-m SMER
Americas-large139.7 s144.7 s289.5 s366.2 s379.5 s759.1 s
Americas-small10.1 s10.1 s20.2 s29.2 s30.2 s60.4 s
Apj0.3 s0.4 s0.8 s0.9 s1.2 s2.4 s
Customer0.01 s0.2 s0.4 s0.01 s0.5 s1.1 s
Emea0.02 s0.02 s0.04 s0.05 s0.06 s0.12 s
Table 12. Execution time with 2–3 RSSOD.
Table 12. Execution time with 2–3 RSSOD.
Dataset|E2–3 RSSOD|= 30|E2–3 RSSOD|= 50
C2–2 SMERCt-t SMERCt-m SMERC2–2 SMERCt-t SMERCt-m SMER
Americas-large505.5 s509.5 s452.9 s1203.9 s1212.8 s1078.1 s
Americas-small30.5 s31.8 s28.3 s89.9 s96.3 s85.6 s
Apj1.5 s1.4 s1.2 s3.6 s3.1 s2.7 s
Customer0.5 s0.3 s0.3 s1.3 s0.7 s0.6 s
Emea0.07 s0.07 s0.06 s0.02 s0.1 s0.1 s
Table 13. Execution time with 3–5 RSSOD.
Table 13. Execution time with 3–5 RSSOD.
Dataset|E3–5 RSSOD|= 30|E3–5 RSSOD|= 50
C2–2 SMERCt-t SMERCt-m SMERC2–2 SMERCt-t SMERCt-m SMER
Americas-large2022.7 s2054.3 s1314.7 s5762.9 s5861.9 s3751.6 s
Americas-small117.7 s143.6 s91.9 s280.9 s337.9 s216.2 s
Apj6.7 s7.1 s4.5 s17.9 s19.7 s12.6 s
Customer1.2 s5.0 s3.2 s2.7 s12.1 s7.7 s
Emea0.3 s0.3 s0.2 s0.8 s0.8 s0.5 s
Table 14. Execution time with 5–10 RSSOD.
Table 14. Execution time with 5–10 RSSOD.
Dataset|E5–10 RSSOD|= 30|E5–10 RSSOD|= 50
C2–2 SMERCt-t SMERCt-m SMERC2–2 SMERCt-t SMERCt-m SMER
Americas-large6164.6 s6267.3 s7771.9 s14,667.3 s15,008.8 s18,612.1 s
Americas-small260.7 s371.4 s460.5 s5.9 s900.5 s1116.7 s
Apj19.7 s23.3 s28.9 s47.0 s59.4 s73.6 s
Customer0.9 s28.1 s34.8 s2.3 s70.5 s87.4 s
Emea0.7 s0.7 s0.8 s1.7 s0.7 s0.8 s
Table 15. Comparison of execution time.
Table 15. Comparison of execution time.
DatasetRMO_SODSDA(s)Unconstrained Role Mining(s)
Americas-large[139.7, 18612.1]78.78
Americas-small[10.1, 1116.7]6.31
Apj[0.3, 73.6]5.60
Customer[0.01, 87.4]4.66
Emea[0.02, 0.8]0.02

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Back to TopTop