Impact of Multiple t-t SMER Constraints on Minimum User Requirement in RBAC

  • Arindam Roy
  • Shamik Sural
  • Arun Kumar Majumdar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8880)


Separation of Duty (SoD) constraints are widely used to specify Role Based Access Control (RBAC) policies in commercial applications. It has been shown previously that efficient implementation of SoD policies in RBAC can be done using t-t Statically Mutually Exclusive Roles (SMER) constraints. In this paper, we present a method for finding the minimum number of users required under multiple t-t SMER constraints. The problem is shown to be NP-complete. We model the general problem using graphs, and present a two-step method for solving it. In the first step, a greedy algorithm is proposed that selects a graph which is likely to have the minimum chromatic number out of a set of graphs. The second step uses a known chromatic number finding algorithm for determining the chromatic number of the graph selected in the first step. Results for different values of the number of roles and the number of constraints as well as for different values of t have been reported.


Statically Mutually Exclusive Roles (SMER) constraint Role Based Access Control (RBAC) Graph Chromatic number Greedy algorithm 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bell, D.E., Lapadula, L.J.: Secure computer system: Unified exposition and multics interpretation. Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01731 (1976)Google Scholar
  2. 2.
    Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 2(1), 65–104 (1999)CrossRefGoogle Scholar
  3. 3.
    Chen, F., Sandhu, R.S.: Constraints for role-based access control. In: Proceedings of the 1st ACM Workshop on Role-Based Access Control, pp. 39–46 (1996)Google Scholar
  4. 4.
    Clark, D.D., Wilson, D.R.: A comparison of commercial and military computer security policies. In: Proceedings of the 1987 IEEE Symposium on Security and Privacy, pp. 184–194 (1987)Google Scholar
  5. 5.
    Crampton, J., Gutin, G., Yeo, A.: On the parameterized complexity and kernelization of the workflow satisfiability problem. ACM Transactions on Information and System Security, 16(1), 4:1–4:31 (2013)Google Scholar
  6. 6.
    Diestel, R.: Graph Theory. Springer (2005)Google Scholar
  7. 7.
    Ferraiolo, D.F., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Artech House (2007)Google Scholar
  8. 8.
    Frank, M., Buhman, J.M., Basin, D.: Role mining with probabilistic models. ACM Transactions on Information and System Security, 15(4), 15:1–15:28 (2013)Google Scholar
  9. 9.
    Garey, M.R., Johnson, D.S.: Computers and intractability: A guide to the theory of np-completeness. W. H. Freeman (1979)Google Scholar
  10. 10.
    Harika, P., Nagajyothi, M., John, J.C., Sural, S., Vaidya, J., Atluri, V.: Meeting cardinality constraints in role mining. IEEE Transactions on Dependable and Secure Computing (to appear, 2014)Google Scholar
  11. 11.
    Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)CrossRefzbMATHMathSciNetGoogle Scholar
  12. 12.
    Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  13. 13.
    Kuhn, D.R.: Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems. In: Proceedings of the Second ACM Workshop on Role-based Access Control, pp. 23–30 (1997)Google Scholar
  14. 14.
    Li, N., Tripunitara, M.V., Bizri, Z.: On mutually exclusive roles and separation-of-duty. ACM Transactions on Information and System Security 10(2), 1–36 (2007)CrossRefGoogle Scholar
  15. 15.
    Roy, A., Sural, S., Majumdar, A.K.: Minimum user requirement in role based access control with separation of duty constraints. In: 12th International Conference on Intelligent Systems Design and Applications, pp. 386–391 (2012)Google Scholar
  16. 16.
    Sandhu, R.S., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Transactions on Information and System Security (TISSEC) 2(1), 105–135 (1999)CrossRefGoogle Scholar
  17. 17.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  18. 18.
    Schaad, A., Moffett, J., Jacob, J.: The role-based access control system of a European bank: a case study and discussion. In: Proceedings of the sixth ACM Symposium on Access Control Models and Technologies, pp. 3–9 (2001)Google Scholar
  19. 19.
    Scheinerman, E.R.: Matgraph: A MATLAB Toolbox for Graph Theory (2012),
  20. 20.
    Vaidya, J., Atluri, V., Guo, Q.: The role mining problem: finding a minimal descriptive set of roles. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 175–184 (2007)Google Scholar
  21. 21.
    Wang, Q., Li, N.: Satisfiability and resiliency in workflow authorization systems. ACM Transactions on Information and System Security 13(4), 40:1–40:35 (2010)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Arindam Roy
    • 1
  • Shamik Sural
    • 2
  • Arun Kumar Majumdar
    • 3
  1. 1.Advanced Technology Development CentreIndian Institute of TechnologyKharagpurIndia
  2. 2.School of Information TechnologyIndian Institute of TechnologyKharagpurIndia
  3. 3.Department of Computer Science and EngineeringIndian Institute of TechnologyKharagpurIndia

Personalised recommendations