S. Mandala, M. Vukovic, Jim Laredo, Yaoping Ruan, Milton Hernandez
{"title":"面向安全服务解决方案的混合角色挖掘","authors":"S. Mandala, M. Vukovic, Jim Laredo, Yaoping Ruan, Milton Hernandez","doi":"10.1109/SCC.2012.57","DOIUrl":null,"url":null,"abstract":"IT services delivery is a complex ecosystem that engages 100000s of system administrators in service delivery centers globally managing 1000s of IT systems on behalf of customers. Such large-scale hosting environments require a flexible identity management system to provision necessary access rights, in order to ensure compliance posture of an organization. A popular and effective access control scheme is Role Based Access Control (RBAC). Ideally, a role should correspond to a business function performed within an enterprise. Several role mining algorithms have been proposed which attempt to automate the process of role discovery. In this paper, we represent the user-permission assignments as a bi-partite graph with users/permissions as vertices and user-permission assignments as edges. Given a user-permission bi-partite graph, most role mining algorithms focus on discovering roles that cover all the user-permission assignments. We show that by relaxing the coverage requirement, one can improve the accuracy of role detection. We propose a parameterized definition of a role based on graph theoretical properties, and demonstrate that the role parameters can be controlled to balance the accuracy and coverage of the roles detected. Finally, we propose a heuristic to illustrate the efficacy of our approach and validate it on real and artificial organizational access control data.","PeriodicalId":178841,"journal":{"name":"2012 IEEE Ninth International Conference on Services Computing","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-06-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":"{\"title\":\"Hybrid Role Mining for Security Service Solution\",\"authors\":\"S. Mandala, M. Vukovic, Jim Laredo, Yaoping Ruan, Milton Hernandez\",\"doi\":\"10.1109/SCC.2012.57\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"IT services delivery is a complex ecosystem that engages 100000s of system administrators in service delivery centers globally managing 1000s of IT systems on behalf of customers. Such large-scale hosting environments require a flexible identity management system to provision necessary access rights, in order to ensure compliance posture of an organization. A popular and effective access control scheme is Role Based Access Control (RBAC). Ideally, a role should correspond to a business function performed within an enterprise. Several role mining algorithms have been proposed which attempt to automate the process of role discovery. In this paper, we represent the user-permission assignments as a bi-partite graph with users/permissions as vertices and user-permission assignments as edges. Given a user-permission bi-partite graph, most role mining algorithms focus on discovering roles that cover all the user-permission assignments. We show that by relaxing the coverage requirement, one can improve the accuracy of role detection. We propose a parameterized definition of a role based on graph theoretical properties, and demonstrate that the role parameters can be controlled to balance the accuracy and coverage of the roles detected. Finally, we propose a heuristic to illustrate the efficacy of our approach and validate it on real and artificial organizational access control data.\",\"PeriodicalId\":178841,\"journal\":{\"name\":\"2012 IEEE Ninth International Conference on Services Computing\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2012-06-24\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"5\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2012 IEEE Ninth International Conference on Services Computing\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SCC.2012.57\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 IEEE Ninth International Conference on Services Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SCC.2012.57","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
IT services delivery is a complex ecosystem that engages 100000s of system administrators in service delivery centers globally managing 1000s of IT systems on behalf of customers. Such large-scale hosting environments require a flexible identity management system to provision necessary access rights, in order to ensure compliance posture of an organization. A popular and effective access control scheme is Role Based Access Control (RBAC). Ideally, a role should correspond to a business function performed within an enterprise. Several role mining algorithms have been proposed which attempt to automate the process of role discovery. In this paper, we represent the user-permission assignments as a bi-partite graph with users/permissions as vertices and user-permission assignments as edges. Given a user-permission bi-partite graph, most role mining algorithms focus on discovering roles that cover all the user-permission assignments. We show that by relaxing the coverage requirement, one can improve the accuracy of role detection. We propose a parameterized definition of a role based on graph theoretical properties, and demonstrate that the role parameters can be controlled to balance the accuracy and coverage of the roles detected. Finally, we propose a heuristic to illustrate the efficacy of our approach and validate it on real and artificial organizational access control data.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
