Role-Mining Optimization with Separation-of-Duty Constraints and Security Detections for Authorizations

: Role-based access control (RBAC), which has been regarded as one of the most popular access-control mechanisms, is featured by the separation-of-duty constraints, mutually exclusive constraints, and the least-privileges principle. Role mining, a bottom-up role-engineering technology, is an e ﬀ ective method to migrate from a non-RBAC system to an RBAC system. However, conventional role-mining approaches not only do not consider the separation of duty constraints, but also cannot ensure the security of a constructed RBAC system when the corresponding mined results violate the separation of a duty constraint and / or the least-privileges principle. To solve these problems, this paper proposes a novel method called role-mining optimization with separation-of-duty constraints and security detections for authorizations (RMO_SODSDA), which mainly includes two aspects. First, we present a role-mining-optimization approach for satisfying the separation of duty constraints, and we constructed di ﬀ erent variants of mutually exclusive constraints to correctly implement the given separation of duty constraints based on unconstrained role mining. Second, to ensure the security of the constructed system and evaluate authorization performance, we reduced the authorization-query problem to a maximal-satisﬁability problem. The experiments validate the e ﬀ ectiveness and e ﬃ ciency of the proposed method.


Introduction
With the rapid development of network-information technology and the comprehensive application of cloud computing and big data techniques, there is much storage and there are many exchanges in large-scale and complex information-management systems [1].The mechanism to ensure the security of system data and user information has attracted much attention.An increasing number of enterprises and organizations have adopted role-based access control (RBAC) as their main access-control mechanism, as it makes security administration more flexible and manageable [2][3][4][5][6][7].With the successful implementations of RBAC systems, designing an effective, complete set of roles and constructing a good RBAC system have become critical tasks.As a solution to facilitate the process of migrating from a non-RBAC system to an RBAC system, role-engineering technology [8,9] has been proposed.There are two main approaches: top-down [10] and bottom-up [11][12][13][14][15][16].In the former approach, roles are derived by carefully analyzing particular organization functions.While this approach can reflect the functional requirements of the organization well, it is time-consuming and labor-intensive.In the latter approach, roles are aggregated by applying data-mining techniques from existing user-permission assignments, and the architectural structure of RBAC can be automatically constructed.The bottom-up approach, also known as role mining, has gained considerable interest and popularity in recent years.
Vaidya et al. [17] converted role mining into a matrix-decomposition problem and presented the definition of a basic role mining problem (basic RMP), which attempts to find a minimal set of roles from bottom-user permission assignments and completely cover the original assignments.However, it is difficult to derive an optimal role set in practical applications.Afterward, a variant of basic RMP called δ-approx RMP was proposed in the work of [17], which attempts to find a minimal set of roles by allowing a limited number of mismatches.As a result, it is easy to derive a suboptimal role set.Meanwhile, in min-noise RMP [17], the number of roles is bounded, and the number of mismatches between original assignments and assignments in the constructed system is minimized.According to different optimization objectives for role mining, many other approaches have been proposed, such as edge RMP [18], usage RMP [19], and user-oriented exact RMP [20].
A key characteristic of RBAC is that it allows the specification and enforcement of various constraint policies [21][22][23], such as cardinality constraints and separation-of-duty constraints (also called separation-of-duty policies), which can reflect security policies of different enterprises and organizations and ensure system security.The cardinality constraint limits the maximum number of roles related to users or to permissions, the maximum number of permissions a role can have, or the maximum number of users to which a role can be assigned [14].Another significant constraint discussed in this paper is the separation-of-duty constraint, which is widely recognized to be a fundamental principle in computer security [14].Typically, the constraint states that at least k users are required to complete a special task that requires n number of permissions.One approach requires that no (k -1) users together have all the permissions needed to complete the task [24].It has been widely used in the banking industry and military systems.In the approach to migrate from a non-RBAC system to an RBAC system, however, an inadequately addressed key challenge is that none of the conventional role-mining methods consider the separation-of-duty constraint.
Furthermore, both the mutually-exclusive-role constraint and the least-privileges principle play important roles [25,26] in evaluating system security and authorization performance in a constructed RBAC system.Because of free and random requests of accessing resources and fuzzy system configurations, it is impossible to find an optimal set of roles that cover all permissions for a given access request.The authorization-query problem [27] proved to be satisfiable, strictly complies with the separation-of-duty constraint, and attempts to derive a role set that can cover as many permissions as possible.Maximal satisfiability (MAX-SAT) is a core research problem of theoretical computer science that has had successful applications in various fields, such as artificial intelligence and model detection [28].Nevertheless, conventional role-mining methods lack security detections for authorizations in the constructed RBAC system.The following problems exist: on the one hand, different results may conflict with each other and violate the mutually exclusive constraint; on the other hand, different results may include permissions outside the permission request and violate the least-privileges principle.
To address the above problems, this paper proposes a novel method called role-mining optimization with separation-of-duty constraints and security detections for authorizations (RMO_SODSDA).The main contributions of this paper are as follows: (1) The separation-of-duty constraint was proved to be effectively enforced by mutually exclusive constraints [24].In order to satisfy these constraints, we presented a constrained-role optimization approach, we constructed several variants of mutually exclusive constraints to correctly implement the given separation of duty, and we evaluated the effectiveness of RMO_SODSDA.(2) As a branch of MAX-SAT, the partial MAX-SAT problem [29] aims to satisfy all hard clauses and as many soft clauses as possible.It is clearly more versatile.In order to ensure system security, based on the previously constructed RBAC system, we converted the authorization-query problem into the partial MAX-SAT and evaluated RMO_SODSDA efficiency.
The rest of the paper is organized as follows.In Section 2, we discuss related work and present preliminaries and basic problem descriptions to understand the rest of the paper.Section 3 proposes a novel method (RMO_SODSDA), including two aspects: (1) presenting role optimization with separation-of-duty constraints and demonstrating how to construct different kinds of mutually-exclusive-role constraints, and (2) reducing the authorization-query problem to partial MAX-SAT and demonstrating how to ensure system security.We show the results of the experimental evaluations in Section 4 and present discussions in Section 5. Section 6 concludes the paper and discusses future work.

Role-Mining Methods
Many methods have been proposed for role mining.According to whether or not constraints are considered in the optimization process, existing efforts mainly fall into the following two categories: (1) role mining with no constraint, and (2) role mining with constraints.

Role Mining with No Constraint
Vaidya et al. converted role mining into a matrix-decomposition problem and presented the definition of basic RMP.Basic RMP has been proven to be NP-complete, for which several existing studies have already been done to find efficient solutions.In view of the lack of semantics in mining roles, Molloy et al. [30] introduced semantic information, represented roles' characteristics with a formal concept lattice, and proposed an optimization algorithm to find roles based on formal semantic analysis that can reflect the requirements of the organization's functions and enhance the interpretability of mining roles.To optimize the RBAC system, Zhang et al. [31] presented an algorithm using graph-optimization theory, which reduces the administration required for role-related assignments through minimizing the number of edges in the graph.However, it does not research the redundancy of the mining results.Ene et al. [32] used heuristics and graph theory to find as few optimized roles as possible, which can reduce graph representations and the redundancy of mining roles.Lu et al. [19] proposed a unified optimization framework for role mining and presented a number of greedy algorithms that could solve basic RMP, δ-approx RMP, min-noise RMP, and edge RMP based on methods of integer linear programming and Boolean matrix decomposition.Although constraints are essential for the RBAC model, none of the above role-mining methods took constraints into account.

Role Mining with Constraints
In order to avoid abuse of privileges, Kumar et al. [33] proposed the constrained role miner algorithm that limits the number of permissions assigned to a role.Hingankar et al. [34] proposed a biclique-cover method to derive a set of roles that limit the maximum number of users related to a role.For example, the managing-director role in a company must be assigned to only one person.John et al. proposed two alternative approaches for restricting the number of roles assigned to a user: the role priority-based approach (RPA) and the coverage of permissions-based approach (CPA).The RPA prioritizes roles based on their number of permissions, and assigns optimal roles to a user according to the priority order.The CPA chooses roles by iteratively picking the role with the largest number of permissions that are yet uncovered, and then ensures that no user contains more than a given number of roles [35].In order to simultaneously limit the maximum number of roles assigned to a user and a related permission, Harika et al. [36] imposed these constraints during the process of mining roles and proposed a postprocessing framework and a concurrent processing framework.

Methods of RBAC Authorizations
In order to obtain permissions while satisfying a collection of constraints for a given authorization request, it is necessary to determine whether a set of roles can be activated in a particular system.Zhang et al. presented the user authorization query (UAQ) problem that adopts a greedy algorithm and a mutually-exclusive-role constraint to search for the objects.The UAQ is to discover a set of roles to be activated in a single session for the particular set of permissions requested by the user [27].This set of roles must satisfy constraints and follow the least-privileges principle.However, it stops searching once the set of roles does not satisfy the requests.Wickramaarachchi et al. [37] introduced the lower and upper bounds for the requested permissions, respectively, converting the UAQ into the MAX-SAT, finding truth assignments that satisfied as many clauses as possible, and demonstrating its effectiveness using SAT solvers.Lu et al. [28] proposed a novel approach based on role-permission reassignments to support the UAQ, which assists administrators to modify system configurations in an automatic manner.Koshimura et al. [38] presented partial MAX-SAT solver QMaxSAT, which encodes soft clauses with the blocking variables and has been proven to be highly effective.Partial MAX-SAT is an extension of MAX-SAT.It sits between the classical SAT problem and the MAX-SAT problem.While the classical SAT problem requires all clauses to be satisfied, MAX-SAT seeks the maximum number of clauses that can be satisfied, and partial MAX-SAT relaxes this requirement by having certain clauses marked as relaxable and others as nonrelaxable [29].
Obviously, from the above analyses, we can see that there are two limitations in the current research on role-mining optimization.One limitation is that none of them consider the separation-of-duty constraint.If a constructed RBAC system lacks several necessary constraints, then a series of security requirements of the organization are not realized.The second limitation is that they lack security detections for role authorization in the constructed RBAC system.Different results may violate the separation-of-duty constraint and/or the least-privileges principle.

Basic Elements of Role Engineering
Conventional role engineering contains the following basic elements [5][6][7]: (1) U, P, R, S, DC, UPA, UA, PA, and RH are the basic elements of the RBAC model, which represent a set of users, a set of permissions, a set of roles, a set of sessions, a set of constraints, a many-to-many mapping of user-permission assignments, a many-to-many mapping of user-role assignments, a many-to-many mapping of role-permission assignments, and a partial-order set on roles, respectively; (2) Roles(u), Permissions(r), and Perms(u) represent the mapping function of user u onto a set of roles, the mapping function of role r onto a set of permissions, and the mapping function of user u onto a set of permissions, respectively; (3) user_session(s), roles_session(s), and perms_session(r) represent the mapping function of session s onto a user, the mapping function of session s onto a set of roles, and the mapping function of role r onto a set of permissions in a session, respectively.

Separation-of-Duty Constraint
Role-static separation-of-duty constraint (k-n RSSOD) [22] states that, given a task consisting of n roles r 1 , r 2 , . . .,r n , at least k users are required together to perform it and have all the n roles; any set of (k -1) users should not be able to have all the roles.It is expressed as rssod<{r 1 ,r 2 , . . .,r n },k>, where each r i is a role, and n and k are integers, such that 2≤k≤n.It can be formalized as follows:

Basic RMP Problem
Given a set of users U, a set of permissions P, and a user-permission assignments matrix UPA, the basic RMP [17] aims to find a set of roles R, a user-role assignments matrix UA, and a role-permission assignments matrix PA, such that the UA and PA are consistent with the UPA, and the number of mining roles |R| is minimized.It can be formalized as follows:

UAQ Problem
The UAQ [27] is a four-tuple <s, P lb , P ub , match>, where s∈S, P lb , and P ub are the lower and upper bound for the set of requested permissions, respectively; P lb ⊆P ub ⊆P; and match∈{min, max, exact} indicates the optimization objective.It can be formalized as follows: For the readability, we summarize the main symbols used in the paper in Table 1.
Table 1.Main symbols and their meanings.

Symbol Meaning
< s, P lb , P ub , match> The four tuple of permissions request SSOD Role-static separation-of-duty constraint SMER Static mutually exclusive roles rssod<{r 1 ,r 2 , . . .,r n },k> The k-n SSOD constraint smer<{r 1 ,r 2 , . . .,r m },t> The t-m SMER constraint smer<{r 1 ,r 2 , . . .,r t },t> The t-t SMER constraint E The set of SSOD constraints C The set of SMER constraints The literal and its negation with respect to permission p The literal and its negation with respect to role r

Proposed Method
In this section, we propose a novel method, RMO_SODSDA, which includes two aspects: (1) satisfying separation-of-duty constraints, and (2) ensuring authorization security.

Satisfying Separation-of-Duty Constraints
Separation-of-duty constraints can be effectively enforced by mutually exclusive constraints.In order to satisfy these constraints, we constructed different variants of mutually exclusive roles to implement RSSOD based on any unconstrained role-mining algorithm for basic RMP, including algorithm design and description, computational complexity, and correctness analysis.First, we present the following definitions.Definition 1. (static and soft mutually exclusive roles, t-m SMER) Given m roles r 1 ,r 2 , . . .,r m , a t-m SMER states that no user is allowed to have t or more of these m roles.It is expressed as smer<{r 1 ,r 2 , . . .,r m },t>, where each r i is a role, and m and t are integers, such that 2≤ k≤ n.A t-m SMER can be formalized as follows: It has been shown that any t-m SMER can be equivalently represented using a set of t-t SMER [24].
Definition 2. (static and hard mutually exclusive roles, t-t SMER) Given t roles r 1 ,r 2 , . . .,r t , a t-t SMER states that no user is allowed to have these t roles.It is expressed as smer<{r 1 ,r 2 , . . .,r t },t>, where each r i is a role, and t is an integer, such that t≥ 2. A t-t SMER can be formalized as follows: Definition 3. (role-mining problem with RSSOD constraints) Given a set of users U, a set of permissions P, a user-permission assignments matrix UPA, and a set of RSSOD constraints E={e 1 ,e 2 , . . .}, find a set of roles R, a user-role assignments matrix UA, a role-permission assignments matrix PA, and a set of SMER constraints C, such that the UA and PA are consistent with the UPA, C enforces E, and the number of mining roles |R| is minimized.It can be formalized as follows: Any role-mining algorithm that takes no RSSOD constraint into consideration is used for mining minimal roles in Algorithm 1.

Algorithm 1. Preprocessing
Input: original matrix UPA Output: decomposed matrix UA, PA, candidate set CR of roles The Fast Miner method and Boolean matrix decomposition are adopted to derive CR and configure RBAC, such that min|CR| UA ⊗ PA = UPA

Construction of 2-2 SMER Constraints
A 2-2 SMER constraint can be expressed as c=<{r i , r j },2>, which means that r i and r j are mutually exclusive, that is, the two roles cannot be assigned to any user.Although 2-2 SMER constraints are considered to be quite restrictive, they are sufficient to enforce any enforceable RSSOD constraint.RSSOD constraint e i is nonenforceable in one of the following cases: (1) a single role in the PA matrix owns all permissions in e i , and (2) candidate matrix UA already has user assignments violating the constraints.

Algorithm 2. Construction of 2-2 SMER constraints
for each e i in E do 3. P(e i ) denotes the permissions covered by e i ; 4. ∃(S = (r 1 , r 2 , . ..)) ⊆ CR:(∀r ∈ S : Permissions(r) ∩ P(e i ) ∅) In Algorithm 2, the inputs are the above UA, CR, and set E = {e 1 ,e 2 , . . .} of k-n RSSOD constraints, and the output is set C = {c 1 ,c 2 ,...} of 2-2 SMER constraints, such that C enforces E. In order to construct 2-2 SMER constraints, it is necessary to find a set of roles S, such that each role in S at least has permissions in e i (line 4).Then, if any role has all the permissions in e i , we declare e i as nonenforceable (lines 5-8); otherwise, we analyze each pair of roles (r i , r j ) to determine whether they are valid 2-2 SMER constraints.If r i and r j are mutually exclusive roles, each one contains at least a mutually exclusive permission that must be absent in the other (lines 9-17).
Computational complexity: constructing 2-2 SMER constraints for an RSSOD can be done in polynomial time.If the number of roles in set S for the RSSOD is m, then the time for deciding whether the RSSOD constraint is enforceable or not is O(m), and the time for constructing mutually exclusive roles is O(m 2 ); thus, the total time complexity is (m 2 ).The smaller m gets, the more acceptable the algorithm becomes.

Construction of t-t SMER Constraints
However, many RSSOD constraints might become nonenforceable in some cases because of the restrictive 2-2 SMER constraints.Next, we present an approach for implementing RSSOD with t-t SMER constraints (t > 2), which is less restrictive as compared with only using 2-2 SMER constraints.It is necessary to find a maximum t for the given RSSOD constraints in Algorithm 3.

Algorithm 3. Construction of t-t SMER constraints
for each e i in E do 3.
P(e i ) denotes the permissions covered by e i ; 4.
∃(S = (r 1 , r 2 , . ..)) ⊆ CR:(∀r ∈ S : Permissions(r) ∩ P(e i ) ∅) To construct t-t SMER constraints for an RSSOD e i , like in Algorithm 2, we should find set S at first.Next, we determine whether e i is enforceable or not.In Algorithm 3, line 4 determines set S from CR. Lines 5-6 indicate that if the number of roles in set S is less than k in e i , it cannot be enforced.Lines 8-9 indicate that if any role in set S has all the permissions in e i , it cannot be enforced.show that if RH relationships exist in S, e i cannot be enforced.Lines 15-23 determine whether the t-t SMER constraints are satisfied in matrix UA and insert them into set C.
Computational complexity: if the number of roles in S is m, the time for determining whether a constraint is enforceable or not is O(m).Constructing t-t SMER constraints depends on the double loops.The execution number of the first loop is |S|−1 k−1 -2; in the second loop, for the particular t, it is necessary to obtain any t roles from S, and the execution time is O(C t m ).Thus, the total time complexity is If m is small, the efficiency of the algorithm is acceptable.Computational complexity: constructing t-m SMER constraints depends on the double loops.The execution number in the first loop is n−1 k−1 − 2 ; in the second loop, for the particular m, it is necessary to obtain any m roles from CR.Thus, the execution time of the double loops is O(2 n ).The efficiency of the algorithm decreases obviously as the number of CR increases.

Correctness Analysis
Statement 1.Given an m-m RSSOD constraint e 1 , t-m SMER constraint c 1 can precisely enforce e 1 if and only if t = 2.

Proof.
We analyze the statement from the two sides of sufficiency and necessity.
Necessity.It is proved by contradiction.Assume that there exists some user who has all the m roles, that is, ∃u ∈ U : Roles(u) ∩ {r 1 , r 2 , . . .r m } = m, which is contradictory to the constraint smer<{r 1 ,r 2 , . . .,r m },m>.Thus, the assumption is false.Proof.According to Definition 1, any user has (t -1) roles at most, and any (k -1) users have (k -1) ×(t -1) roles at most.It is also proved by contradiction.Without loss of generality, t= n−1 k−1 + 1 + 1 , we assume that the RSSOD constraint holds, that is, the number of roles assigned to (k -1) users is which breaches the k-n RSSOD.Thus, the assumption is false and the theorem is proved.

Ensuring Authorization Security
In order to ensure the security of authorizations, we converted the authorization-query problem into partial MAX-SAT as follows: (1) authorization logics and constraints are transformed into hard clauses; (2) the updating algorithm is adopted to transform the requested permissions with different matches into soft clauses; and (3) recursive and encoding algorithms are utilized to satisfy all hard clauses and as many soft clauses as possible.First, we present the definition with respect to the partial MAX-SAT.

Definition 4. (Boolean logical descriptions of partial MAX-SAT):
(1) Basic elements: some elements are presented using Boolean variables x 1 ,x 2 , . . .,x i , . . ., x i, or ¬x i (the negation of x i ), which is called a literal logic; the instance formalized as x 1 ∨x 2 ∨ . . .∨x n using n literals x i is called a clause; and sentence c 1 ∧c 2 ∧ . . .∧c m using m clauses c i is called the conjunctive normal form, which is expressed as cnf(c 1 ,c 2 , . . .,c m );

Updating Clauses
To reflect the least-privileges principle, we say that permissions in P lb must be satisfied and available in a single session, which can be formalized as follows: ∀p ∈ P, ∃s ∈ S, ∀r ∈ R, : p ∈ P lb ⇒ p ∈ ∪ r∈roles_session(s) perms_session(r).
Similarly, permissions not in P ub must not be satisfied or available in a single session, which can be formalized as follows: Different cases can be easily transformed into the partial MAX-SAT.Essentially, the partial MAX-SAT problem is a special extension of the MAX-SAT problem, whereby some clauses are relaxable and others are hard clauses.It aims to satisfy all hard clauses as well as a maximum number of soft ones.To translate the authorization-query problem to a partial MAX-SAT instance, all permissions in P lb should be inserted into HC, and all permissions in (P ub \P lb ) should be inserted into SC.Next, to satisfy the max match, any permission in (P ub \P lb ) is initially set to be true, as only permission variables can be used in the permissions request and the partial MAX-SAT is to satisfy the largest number of soft clauses; to satisfy the min match, on the other hand, any permission in (P ub \P lb ) is initially set to be false.Thus, hard and soft clauses are updated in Algorithm 5. p into SC when the match objective equals to min or max, and we do not update SC when the match objective equals to exact.

Assigning Truth for Clauses
To satisfy all hard clauses in HC, it is necessary to search for truth assignments and make sure all clauses are true.The recursive process is described in Algorithm 6.In Algorithm 6, lines 2-11 indicate that if chosen clause c consists of only one literal logic, we simplify HC according to the two different cases in each iteration: when a clause including c'∨c exists, we remove it from HC; when a clause including c"∨¬c exists, we remove it from HC and insert c" into HC.Next, if len(c)>1, line 13 recursively calls Algorithm 6.
Theorem 2. For each given clause c, there is a truth assignment for c using Algorithm 6.
Proof.On the basis of Sections 3.2.1 and 3.2.2,we can search for the truth assignment from line 2 of the algorithm using the method of mathematical induction, and detailed descriptions are omitted owing to limited space.

Experiment Evaluations
In this section, two groups of experiments were carried out.The first group of experiments was to evaluate the effectiveness of RMO_SODSDA, and the second was to evaluate its efficiency.All experiments were implemented on a standard desktop PC with an Intel i5-7400 CPU, 4 GB RAM, and 160 GB hard disks, running a 64-bit Windows 7 operating system.All simulations were compiled and executed in Eclipse IDE for a Java Developers environment.

Datasets and Experiment Setup
Datasets: we considered nine real-world datasets from the work of [14].Meanwhile, in the unconstrained preprocessing stage, regular mining tool RMiner [39] was used for mining roles.The results including the number of roles and execution time are shown in Table 6.Experiment setup: constraints were constructed synthetically.According to the length of constraint enforcement, we studied four different kinds of k-n RSSOD: 2-2 RSSOD, 2-3 RSSOD, 3-5 RSSOD, and 5-10 RSSOD, where n permissions were randomly chosen from the set of all permissions.According to the amount of constraint enforcement, we chose 30 and 50 as the number of each kind of k-n RSSOD, respectively.
However, after analyzing these datasets, we found that the Domino, Firewall1, Firewall2, and Healthcare datasets could not be used to represent the performance of role-mining algorithms with RSSOD constraints.Some user sets in these datasets violate the constraints, and they have all permissions assigned to them.Thus, valid RSSOD constraints cannot be generated from them.

Evaluation Measures
We considered the average number of constructing SMER constraints, execution time, and percentage of RSSOD constraints that can be successfully enforced as evaluation measures.

Experiment Results
To evaluate the effectiveness of RMO_SODSDA, we considered preprocessing results UA, CR, and the k-n RSSOD constraints as inputs, and repeatedly implemented the experiments 20 times.The experiment results are shown in Tables 7-10, where E k-n RSSOD represents the set of RSSOD constraints, and C t-m SMER represents the set of SMER constraints.Firstly, by analyzing the results in Tables 7-10, it was observed that there was a certain number of RSSOD constraints that could not be enforced when we constructed 2-2 SMER, t-t SMER, or t-m SMER constraints.The less that efficient RSSOD constraints were enforced (in other words, the less the percentage in the bracket), the fewer the constructing SMER constraints.
Second, Tables 7-10 show that the process of constructing 2-2 SMER constraints is more difficult than the other two processes, because the 2-2 SMER was more restricted than the others.We take the Customer dataset as an example.In Table 9, percentages of successfully constructing 2-2 SMER constraints are 17% with 30 RSSOD and 14% with 50 RSSOD, while percentages of constructing the other two are both 100%.In Table 10, percentages of successfully constructing 2-2 SMER constraints are only 5% and 2%.
A further observation is that the number of constructing SMER constraints tended to increase as the number of RSSOD constraints increased in the five datasets.We take the Americas-large dataset as an example.In Table 7, when the number of RSSOD changed from 30 to 50, the number of constructing SMER increased from 984 to 2461 and 2568, respectively.
Finally, it can be observed from Tables 7-10 that the number of constructing SMER increased as the length of RSSOD constraints increased.We take the Americas-large dataset as an example.If the number of RSSOD constraints equaled to 30, then the number of constructing SMER remarkably increased from 984 to 24,908.If the number of RSSOD constraints equaled to 50, then the number of constructing SMER changed remarkably from 2461 to 62,058.
Next, the average time for constructing SMER constraints from different kinds of RSSOD constraints is shown in , from which it is observed that execution time increased as the number and length of RSSOD constraints increased.Taking the Americas-large dataset as an example, the number of RSSOD changed from 30 to 50, and the length of RSSOD changed from 2 to 10.The time for three scenarios, as follows: (1) P lb = Prequest, P ub = Pu, match = min; (2) P lb = Φ, P ub = Prequest, match = max; and (3) P lb = P ub = Prequest, match = exact.

Evaluation Measures
To evaluate authorization performance of the RMO_SODSDA, we implemented the experiments and compared query time as the number of roles increased according to the three scenarios.Figure 1 demonstrates that query time increased slightly as the number of roles increased in the exact and max cases.Particularly, the time was less than 10 milliseconds with up to 300 roles.In the min case, query time irregularly floated up and down with the increasing number of roles.While time taken for different match requests remained the same in the preprocessing and clause-updating stages, the time taken using the QMaxSAT solver was longer in the min case than in the other two cases.However, total query time was still below one second in any case.It can be observed from Figure 2 and Figure 3 that the query time of our method did not obviously vary.It was less than 20 milliseconds with up to 290 roles.In contrast, the query time in the work of [37] tended to grow linearly up to around 160 milliseconds.The total query time of our method was lower because all hard and soft clauses were completely encoded in the preprocessing stage, while in the work of [37], all clauses were encoded in the querying stage.Therefore, our method outperformed the MAX-SAT solver in the exact and max cases.
It can be observed from Figure 4 that the query time of our method did not obviously vary when |R| changed from 30 to 190.However, the query time irregularly floated up and down when |R| changed from 210 to 290, up to around 240 milliseconds in this paper and around 400 milliseconds in the work of [38].Therefore, our method did not outperform the MAX-SAT solver in the min case.Figure 1 demonstrates that query time increased slightly as the number of roles increased in the exact and max cases.Particularly, the time was less than 10 milliseconds with up to 300 roles.In the min case, query time irregularly floated up and down with the increasing number of roles.While time taken for different match requests remained the same in the preprocessing and clause-updating stages, the time taken using the QMaxSAT solver was longer in the min case than in the other two cases.However, total query time was still below one second in any case.
In order to further validate the efficiency of the RMO_SODSDA, we considered a similar set of experiments as the ones performed in the work of [37].More precisely, our experiments were set as follows: 30 ≤ |R|< 300, |U| = 20, |P| = 70, |C| = 5.Similar to the experiments in the previous UAQ setting section, we took the median value over 10 randomly selected pairs of values of P lb and P ub for the experiments.We compared the performance of our method with the results based on the MAX-SAT solver in Figures 2-4 with error bars, where the lateral axis represents varying values of the number of roles, and the vertical axis represents changes of query time.
It can be observed from Figures 2 and 3 that the query time of our method did not obviously vary.It was less than 20 milliseconds with up to 290 roles.In contrast, the query time in the work of [37] tended to grow linearly up to around 160 milliseconds.The total query time of our method was lower because all hard and soft clauses were completely encoded in the preprocessing stage, while in the work of [37], all clauses were encoded in the querying stage.Therefore, our method outperformed the MAX-SAT solver in the exact and max cases.
It can be observed from Figure 4 that the query time of our method did not obviously vary when |R| changed from 30 to 190.However, the query time irregularly floated up and down when |R| changed from 210 to 290, up to around 240 milliseconds in this paper and around 400 milliseconds in the work of [38].Therefore, our method did not outperform the MAX-SAT solver in the min case.

Discussion
From the above analyses of the effectiveness and efficiency of RMO_SODSDA, we found the following: (1) In the Americas-large, Apj, and Emea datasets, percentage of RSSOD constraints that can be successfully enforced exceeded 70%.However, when the length of RSSOD constraints increased to 3-5 RSSOD and 5-10 RSSOD, the percentage in the Americas-small and Customer datasets was below 50% and 17%, respectively.Thus, the Americas-large, Apj, and Emea datasets were more appropriate for the effectiveness evaluations of RMO_SODSDA.
(2) We compared the execution time of RMO_SODSDA from Table 11, Table 12, Table 13, and Table 14 with that of the unconstrained role mining from Table 6 in Table 15.Obviously, the time of our method was much higher than that of any unconstrained role mining method.We constructed lots of different variants of SMER constraints to correctly implement the given RSSOD constraints, although it was time-consuming.

Discussion
From the above analyses of the effectiveness and efficiency of RMO_SODSDA, we found the following: (1) In the Americas-large, Apj, and Emea datasets, percentage of RSSOD constraints that can be successfully enforced exceeded 70%.However, when the length of RSSOD constraints increased to 3-5 RSSOD and 5-10 RSSOD, the percentage in the Americas-small and Customer datasets was below 50% and 17%, respectively.Thus, the Americas-large, Apj, and Emea datasets were more appropriate for the effectiveness evaluations of RMO_SODSDA.
(2) We compared the execution time of RMO_SODSDA from Table 11, Table 12, Table 13, and Table 14 with that of the unconstrained role mining from Table 6 in Table 15.Obviously, the time of our method was much higher than that of any unconstrained role mining method.We constructed lots of different variants of SMER constraints to correctly implement the given RSSOD constraints, although it was time-consuming.

Discussion
From the above analyses of the effectiveness and efficiency of RMO_SODSDA, we found the following: (1) In the Americas-large, Apj, and Emea datasets, percentage of RSSOD constraints that can be successfully enforced exceeded 70%.However, when the length of RSSOD constraints increased to 3-5 RSSOD and 5-10 RSSOD, the percentage in the Americas-small and Customer datasets was below 50% and 17%, respectively.Thus, the Americas-large, Apj, and Emea datasets were more appropriate for the effectiveness evaluations of RMO_SODSDA.
(2) We compared the execution time of RMO_SODSDA from Table 11, Table 12, Table 13, and Table 14 with that of the unconstrained role mining from Table 6 in Table 15.Obviously, the time of our method was much higher than that of any unconstrained role mining method.We constructed lots of different variants of SMER constraints to correctly implement the given RSSOD constraints, although it was time-consuming.

Discussion
From the above analyses of the effectiveness and efficiency of RMO_SODSDA, we found the following: (1) In the Americas-large, Apj, and Emea datasets, percentage of RSSOD constraints that can be successfully enforced exceeded 70%.However, when the length of RSSOD constraints increased to 3-5 RSSOD and 5-10 RSSOD, the percentage in the Americas-small and Customer datasets was below 50% and 17%, respectively.Thus, the Americas-large, Apj, and Emea datasets were more appropriate for the effectiveness evaluations of RMO_SODSDA.
(2) We compared the execution time of RMO_SODSDA from Tables 11-14 with that of the unconstrained role mining from Table 6 in Table 15.Obviously, the time of our method was much higher than that of any unconstrained role mining method.We constructed lots of different variants of SMER constraints to correctly implement the given RSSOD constraints, although it was time-consuming.(3) For the given cases of permissions request in this paper, the query time of RMO_SODSDA was below one second in any case.However, the method did not outperform the MAX-SAT solver in the min case.
(4) We considered a similar set of experiments as the ones from the MAX-SAT solver to evaluate the efficiency of RMO_SODSDA, and we found that the query time does not obviously vary in the exact and max cases when the number of roles exceeds 300.Thus, we did not consider and analyze further the similar results in these cases.
(5) Similar to the number of roles chosen from the MAX-SAT solver, we chose the similar set of constraints as another parameter for our method, and only the RSSOD constraint was taken into consideration.Particularly, it was observed from Table 6 that the number of mining roles from the Americas-small and Customer datasets was close to 230 and 270, respectively.However, according to the first discussion in this section, the percentages of RSSOD constraints that can be successfully enforced were very low.As the results in Figure 4, the query time irregularly floated up and down once the two datasets were chosen for the performance evaluations.

Conclusions
A novel method, RMO-SODSDA, was proposed in this paper.We first presented constrained role-engineering optimization with separation-of-duty constraints, and constructed several SMER variants to correctly implement the RSSOD, including algorithm design and description, and the computational complexity for constructing the different SMER constraints.Then, in order to evaluate the security of the constructed RBAC system for a given authorization-query problem, an efficient approach for ensuring system security was presented that converts the authorization-query problem into a maximal-satisfiability problem.Lastly, experiment results demonstrated the effectiveness and efficiency of the RMO_SODSDA.There are still a few interesting issues to be handled.One issue is to study the relationships between different cardinality constraints and consider how to implement multiple constraints for role-mining optimization in future work.

Statement 2 .
Given a 2-m RSSOD constraint e 2 , t-m SMER constraint c 2 can precisely enforce e 2 if and only if t = m.

Theorem 1 .
Given a k-n RSSOD constraint (k > 2) and a candidate role set CR, where k ≤ n ≤ |CR|, t-m SMER constraints constructed by our algorithms can precisely enforce k-n RSSOD if t ≤ n−1 k−1 + 1 .

4. 2
.3.Experiment Results We randomly selected 10 pairs of values of P lb and P ub for the experiments and took the median value.The results of our experiments are shown in Figure 1 with error bars, where the lateral axis represents varying values of the number of roles, and the vertical axis represents changes of query time including truth assignments for HC, encoding for SC, and execution time by using the QMaxSAT solver.Future Internet 2019, 11, x FOR PEER REVIEW 16 of 20 We randomly selected 10 pairs of values of Plb and Pub for the experiments and took the median value.The results of our experiments are shown in Figure 1 with error bars, where the lateral axis represents varying values of the number of roles, and the vertical axis represents changes of query time including truth assignments for HC, encoding for SC, and execution time by using the QMaxSAT solver.

Figure 1 .
Figure 1.Comparison of the different scenarios.

Figure 1 .
Figure 1.Comparison of the different scenarios.
5. if ∃r ∈ S : Permissions(r) ⊇ P(e i ) then for each pair of roles (r i , r j ) in S do 10.ifPermissions(r i ) Permissions r j ∧ Permissions r j Permissions(r i ) then 11.if UA satisfy smer<{r i , r j },2> then 12.
, r j ∈ S : r i , r j ∈ RH or r j , r i ∈ RH then Construction of t-m SMER constraints Input: UA, CR, set E of k-n RSSOD constraints Output: set C of t-m SMER constraints . . . . . .

Algorithm 5. Updating clauses. Input: the
UAQ <s, P lb , P ub , match>, preprocessed results HC, SC Output: updated results HC, SC 1. for each p in P lb do In Algorithm 5, the two cases are reflected in lines 1-6.If permission p is in P lb , we represent p with literal − p and insert it into HC.If permission p is not in P ub , we insert literal ¬ If the requested permissions are not in P lb , but in P ub , lines 7-15 transform them into soft clauses according to the different matches.We insert literal ¬ − p into HC.− p or −

Table 15 .
Comparison of execution time.

Table 15 .
Comparison of execution time.

Table 15 .
Comparison of execution time.

Table 15 .
Comparison of execution time.