A formal framework to elicit roles with business meaning in RBAC systems

“…The main benefit of adopting such a model is a simplification of the security policy definition task by business users who have no knowledge of IT systems. Further, use of roles minimizes system administration effort due to the reduced number of relationships required to relate users to permissions [4].…”

“…However, the slavish application of standard data mining approaches to role engineering might yield roles that are merely a set of permissions, namely with no connection to the business practices. Indeed, organizations are unwilling to deploy roles they cannot bind to a business meaning [4]. For this reason, bottom-up should be used in conjunction with top-down, leading to an hybrid approach.…”

“…Only few recent works value business requirements in role mining [2,4,11,14]. Their main limitation is to propose theoretical frameworks that are difficult to apply in real cases.…”

“…Their main limitation is to propose theoretical frameworks that are difficult to apply in real cases. For instance, [2,4,14] require analysts to define a measure for the business meaning of roles. However, selecting the measure that fits the needs of an organization is not trivial, and no best practices exist to define it.…”

“…Moreover, elicitation of roles with no business meaning can be avoided by grouping users that perform similar tasks together first, and then analyzing each group separately. Indeed, investigating analogies among groups of users that perform completely different tasks is far from being a good role mining strategy [4]. Partitioning data also introduces benefits in terms of execution time of role mining algorithms.…”

Mining Business-Relevant RBAC States through Decomposition

“…The main benefit of adopting such a model is a simplification of the security policy definition task by business users who have no knowledge of IT systems. Further, use of roles minimizes system administration effort due to the reduced number of relationships required to relate users to permissions [4].…”

“…However, the slavish application of standard data mining approaches to role engineering might yield roles that are merely a set of permissions, namely with no connection to the business practices. Indeed, organizations are unwilling to deploy roles they cannot bind to a business meaning [4]. For this reason, bottom-up should be used in conjunction with top-down, leading to an hybrid approach.…”

“…Only few recent works value business requirements in role mining [2,4,11,14]. Their main limitation is to propose theoretical frameworks that are difficult to apply in real cases.…”

“…Their main limitation is to propose theoretical frameworks that are difficult to apply in real cases. For instance, [2,4,14] require analysts to define a measure for the business meaning of roles. However, selecting the measure that fits the needs of an organization is not trivial, and no best practices exist to define it.…”

“…Moreover, elicitation of roles with no business meaning can be avoided by grouping users that perform similar tasks together first, and then analyzing each group separately. Indeed, investigating analogies among groups of users that perform completely different tasks is far from being a good role mining strategy [4]. Partitioning data also introduces benefits in terms of execution time of role mining algorithms.…”

Mining Business-Relevant RBAC States through Decomposition

eMOLST: a documentation flow for distributed health informatics

Policy Engineering in RBAC and ABAC