{"title":"基于Max-SAT的参数化RBAC维护","authors":"Marco Benedetti, Marco Mori","doi":"10.1145/3205977.3205987","DOIUrl":null,"url":null,"abstract":"In the past decade, many organizations have adopted a Role-Based Access Control model (RBAC) to reduce their administration costs and increase security. The migration to RBAC requires a role engineering phase aimed at generating \"good\" initial roles starting from direct assignments of permissions to users. For an RBAC approach to be effective, however, it is also necessary to update roles and keep them compliant with the dynamic nature of the business processes; not only this, but errors and misalignments between the current RBAC state and reality need to be promptly detected and fixed. In this paper, we propose a new maintenance process to fix and refine an RBAC state when \"exceptions\" are detected. Exceptions are permissions some users realize they miss that are instrumental to their job and should be granted as soon as possible. They are catched by a monitoring system as unexpected \"access denied\" conditions and then validated by the RBAC administrator. The fix we produce aims at balancing two conflicting objectives, i.e., (i) simplifying the current RBAC state, and (ii) reducing the transition cost. Our approach is based on a Max-SAT formalization of this trade-off and it exploits incomplete solvers that quickly provide approximations of optimal solutions. Experiments show good performance on real-world benchmarks.","PeriodicalId":423087,"journal":{"name":"Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-06-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Parametric RBAC Maintenance via Max-SAT\",\"authors\":\"Marco Benedetti, Marco Mori\",\"doi\":\"10.1145/3205977.3205987\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In the past decade, many organizations have adopted a Role-Based Access Control model (RBAC) to reduce their administration costs and increase security. The migration to RBAC requires a role engineering phase aimed at generating \\\"good\\\" initial roles starting from direct assignments of permissions to users. For an RBAC approach to be effective, however, it is also necessary to update roles and keep them compliant with the dynamic nature of the business processes; not only this, but errors and misalignments between the current RBAC state and reality need to be promptly detected and fixed. In this paper, we propose a new maintenance process to fix and refine an RBAC state when \\\"exceptions\\\" are detected. Exceptions are permissions some users realize they miss that are instrumental to their job and should be granted as soon as possible. They are catched by a monitoring system as unexpected \\\"access denied\\\" conditions and then validated by the RBAC administrator. The fix we produce aims at balancing two conflicting objectives, i.e., (i) simplifying the current RBAC state, and (ii) reducing the transition cost. Our approach is based on a Max-SAT formalization of this trade-off and it exploits incomplete solvers that quickly provide approximations of optimal solutions. Experiments show good performance on real-world benchmarks.\",\"PeriodicalId\":423087,\"journal\":{\"name\":\"Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies\",\"volume\":\"25 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-06-07\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3205977.3205987\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3205977.3205987","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
In the past decade, many organizations have adopted a Role-Based Access Control model (RBAC) to reduce their administration costs and increase security. The migration to RBAC requires a role engineering phase aimed at generating "good" initial roles starting from direct assignments of permissions to users. For an RBAC approach to be effective, however, it is also necessary to update roles and keep them compliant with the dynamic nature of the business processes; not only this, but errors and misalignments between the current RBAC state and reality need to be promptly detected and fixed. In this paper, we propose a new maintenance process to fix and refine an RBAC state when "exceptions" are detected. Exceptions are permissions some users realize they miss that are instrumental to their job and should be granted as soon as possible. They are catched by a monitoring system as unexpected "access denied" conditions and then validated by the RBAC administrator. The fix we produce aims at balancing two conflicting objectives, i.e., (i) simplifying the current RBAC state, and (ii) reducing the transition cost. Our approach is based on a Max-SAT formalization of this trade-off and it exploits incomplete solvers that quickly provide approximations of optimal solutions. Experiments show good performance on real-world benchmarks.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
