Generative models for access control policies: applications to role mining over logs with attribution

Abstract

We consider a fundamentally new approach to role and policy mining: finding RBAC models which reflect the observed usage of entitlements and the attributes of users. Such policies are interpretable, i.e., there is a natural explanation of why a role is assigned to a user and are conservative from a security standpoint since they are based on actual usage. Further, such "generative" models provide many other benefits including reconciliation with policies based on entitlements, detection of provisioning errors, as well as the detection of anomalous behavior. Our contributions include defining the fundamental problem as extensions of the well-known role mining problem, as well as providing several new algorithms based on generative machine learning models. Our algorithms find models which are causally associated with actual usage of entitlements and any arbitrary combination of user attributes when such information is available. This is the most natural process to provision roles, thus addressing a key usability issue with existing role mining algorithms. We have evaluated our approach on a large number of real life data sets, and our algorithms produce good role decompositions as measured by metrics such as coverage, stability, and generality We compare our algorithms with traditional role mining algorithms by equating usage with entitlement. Results show that our algorithms improve on existing approaches including exact mining, approximate mining, and probabilistic algorithms; the results are more temporally stable than exact mining approaches, and are faster than probabilistic algorithms while removing artificial constraints such as the number of roles assigned to each user. Most importantly, we believe that these roles more accurately capture what users actually do, the essence of a role, which is not captured by traditional methods.