Abstract:Role mining is a technique used to derive a role-based authorization policy from an existing policy. Given a set of users $U$, a set of permissions $P$ and a user-permission authorization relation $\mahtit{UPA}\subseteq U\times P$, a role mining algorithm seeks to compute a set of roles $R$, a user-role authorization relation $\mathit{UA}\subseteq U\times R$ and a permission-role authorization relation $\mathit{PA}\subseteq R\times P$, such that the composition of $\mathit{UA}$ and $\mathit{PA}$ is close (in some appropriate sense) to $\mathit{UPA}$.
What problem does this paper attempt to address?
### What problems does this paper attempt to solve?
This paper mainly focuses on the bi - objective optimization problems in role mining. Specifically, the authors introduce a Generalized Noise Role Mining problem (GNRM), and on this basis, propose a bi - objective optimization version of GNRM (Bi - objective GNRM, BO - GNRM). The cores of these problems are as follows:
1. **The basic problem of role mining**:
Role mining aims to derive role - based authorization policies from the existing user - permission assignment relationships. Given a set of users \( U \), a set of permissions \( P \) and the user - permission authorization relationship \( UPA\subseteq U\times P \), the goal of the role - mining algorithm is to calculate a set of roles \( R \), as well as the user - role authorization relationship \( UA\subseteq U\times R \) and the permission - role authorization relationship \( PA\subseteq R\times P \) so that the combination of \( UA \) and \( PA \) is as close as possible to \( UPA \).
2. **Generalized Noise Role Mining problem (GNRM)**:
The authors extend the MinNoise Role Mining problem (MNRP) and propose a more general GNRM. GNRM allows specifying whether the decomposition needs to maintain security or availability at the user level. The formal definition of GNRM is as follows:
- **Input**: An \( m\times n \) user - permission assignment matrix \( UPA \), a label matrix \( F \), and integers \( k\geq0 \) and \( r\geq1 \).
- **Parameters**: \( k + r \)
- **Objective**: Does there exist an \( m\times r \) user - role assignment matrix \( UA \) and an \( r\times n \) role - permission assignment matrix \( PA \) such that \( sd_F(UPA, UA\land PA)\leq k \)? If so, return such matrices \( UA \) and \( PA \).
3. **Bi - objective optimization problem (BO - GNRM)**:
In BO - GNRM, the authors hope to minimize the number of roles \( r \) and the number of inconsistencies \( k \), while satisfying the upper bounds \( \bar{r} \) and \( \bar{k} \). Specifically, the goal is to minimize \( r \) and \( k \) such that \( r\leq\bar{r} \) and \( k\leq\bar{k} \), and there exist matrices \( UA \) and \( PA \) that satisfy the conditions. This allows the organization to find the best balance between the number of roles and authorization inconsistencies according to actual needs.
4. **Fixed - Parameter Tractability (FPT)**:
The authors prove that both GNRM and BO - GNRM are fixed - parameter tractable (FPT), that is, their running times are exponential functions of some parameters but polynomial for other parameters. This result shows that in practical applications, when these parameters are small, these problems can be effectively solved.
5. **Experimental verification**:
The authors use the integer programming solver Gurobi to conduct experiments to verify the effectiveness of their method on actual authorization policies. The experimental results show that for many instances, when \( k \) or \( r \) is small, the solver can find the optimal solution.
In general, by introducing GNRM and BO - GNRM, this paper solves the problem of how to minimize the number of roles and authorization inconsistencies while ensuring security and availability in role mining, and provides theoretical and experimental support.