Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Minimizing the Number of Roles in Bottom-Up Role-Mining using Maximal Biclique Enumeration

Mahesh Tripunitara

TL;DR

The paper tackles bottom-up role-mining with the objective of minimizing the number of RBAC roles, linking the problem to the $NP$-hard minimum biclique cover. It introduces a maximal biclique enumeration framework: for inputs that yield a manageable number of maximal bicliques, an ILP is solved to obtain exact minimal-role policies; for harder inputs, a branch-and-price variant and a large-maximal-biclique heuristic provide practical progress. Empirical results on Ene et al.'s benchmarks and the newer rmplib benchmarks show the method solves a majority of instances exactly and often improves over prior heuristics on hard cases, with open-source code available. The work offers a scalable, interpretable measure of instance hardness and provides a concrete path toward robust role-mining in real-world settings.

Abstract

Bottom-up role-mining is the determination of a set of roles given as input a set of users and the permissions those users possess. It is well-established in the research literature, and in practice, as an important problem in information security. A natural objective that has been explored in prior work is for the set of roles to be of minimum size. We address this problem for practical inputs while reconciling foundations, specifically, that the problem is \cnph. We first observe that an approach from prior work that exploits a sufficient condition for an efficient algorithm, while a useful first step, does not scale to more recently proposed benchmark inputs. We propose a new technique: the enumeration of maximal bicliques. We point out that the number of maximal bicliques provides a natural measure of the hardness of an input. We leverage the enumeration of maximal bicliques in two different ways. Our first approach addresses more than half the benchmark inputs to yield exact results. The other approach is needed for hard instances; in it, we identify and adopt as roles those that correspond to large maximal bicliques. We have implemented all our algorithms and carried out an extensive empirical assessment, which suggests that our approaches are promising. Our code is available publicly as open-source.

Minimizing the Number of Roles in Bottom-Up Role-Mining using Maximal Biclique Enumeration

TL;DR

The paper tackles bottom-up role-mining with the objective of minimizing the number of RBAC roles, linking the problem to the -hard minimum biclique cover. It introduces a maximal biclique enumeration framework: for inputs that yield a manageable number of maximal bicliques, an ILP is solved to obtain exact minimal-role policies; for harder inputs, a branch-and-price variant and a large-maximal-biclique heuristic provide practical progress. Empirical results on Ene et al.'s benchmarks and the newer rmplib benchmarks show the method solves a majority of instances exactly and often improves over prior heuristics on hard cases, with open-source code available. The work offers a scalable, interpretable measure of instance hardness and provides a concrete path toward robust role-mining in real-world settings.

Abstract

Bottom-up role-mining is the determination of a set of roles given as input a set of users and the permissions those users possess. It is well-established in the research literature, and in practice, as an important problem in information security. A natural objective that has been explored in prior work is for the set of roles to be of minimum size. We address this problem for practical inputs while reconciling foundations, specifically, that the problem is \cnph. We first observe that an approach from prior work that exploits a sufficient condition for an efficient algorithm, while a useful first step, does not scale to more recently proposed benchmark inputs. We propose a new technique: the enumeration of maximal bicliques. We point out that the number of maximal bicliques provides a natural measure of the hardness of an input. We leverage the enumeration of maximal bicliques in two different ways. Our first approach addresses more than half the benchmark inputs to yield exact results. The other approach is needed for hard instances; in it, we identify and adopt as roles those that correspond to large maximal bicliques. We have implemented all our algorithms and carried out an extensive empirical assessment, which suggests that our approaches are promising. Our code is available publicly as open-source.
Paper Structure (7 sections, 3 theorems, 3 equations, 7 figures, 9 tables, 4 algorithms)

This paper contains 7 sections, 3 theorems, 3 equations, 7 figures, 9 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. A Prior Approach and Its Performance
  4. Our Technique: Enumerate Maximal Bicliques
  5. Branch-and-price
  6. Addressing Hard Instances
  7. Conclusions

Key Result

Theorem 1

Suppose the edge $\left\langle u_d, p_d \right\rangle\xspace$ dominates $\left\langle u,p \right\rangle\xspace$ in the input access matrix. Then, there exists an RBAC policy with the minimum number of roles in which $u_d$ acquires $p_d$ through the same role through which $u$ acquires $p$.

Figures (7)

  • Figure 1: An access matrix, as it pertains to this work, as permissions a user possesses, and as a bipartite graph. Users $u_0$ -- $u_4$ are shown as solid circles, and permissions $p_0$ -- $p_4$ as dotted circles.
  • Figure 2: Two role-based policies that are equivalent in authorizations to the access matrix of Figure \ref{['fig:irreducible:am']}. Roles are shown as shaded circles. The policy to the right has four roles, which happens to be the minimum possible for this access matrix.
  • Figure 3: The vertices and edges in bold show a maximal biclique for the access matrix from Figure \ref{['fig:irreducible:biclique']}; the other components are shown faded. Removing any vertex from $\left\{ u_0, u_1, u_2 \right\}\xspace\cup\left\{ p_0, p_2 \right\}\xspace$ still yields a biclique; however, no edge in the original graph can be added to still yield a biclique. This maximal biclique corresponds to the second role from the left in the role-based policy to the right in Figure \ref{['fig:irreducible:rbac']}.
  • Figure 4: The four maximal bicliques of which the edge $\left\langle u_0, p_0 \right\rangle\xspace$ is a member in the access matrix of Figure \ref{['fig:irreducible:am']} shown in bold. The edge $\left\langle u_2, p_0 \right\rangle\xspace$ is a member of all of them, and therefore, by Definition \ref{['def:dominates']}, dominates $\left\langle u_0, p_0 \right\rangle\xspace$.
  • Figure 5: The edge $\left\langle u_0, p_0 \right\rangle\xspace$ and its neighbours shown bolded to the left, and $\left\langle u_2, p_0 \right\rangle\xspace$ and its neighbours to the right. As the latter includes all of the former, by Theorem \ref{['thm:neighbours']}, $\left\langle u_2, p_0 \right\rangle\xspace$ dominates $\left\langle u_0, p_0 \right\rangle\xspace$.
  • ...and 2 more figures

Theorems & Definitions (8)

  • Definition 1: Dominates
  • Theorem 1
  • proof
  • Definition 2: Adjacency
  • Theorem 2
  • proof
  • Theorem 3
  • proof