Role Mining in the Presence of Separation of Duty Constraints

  • Prasuna Sarana
  • Arindam Roy
  • Shamik Sural
  • Jaideep Vaidya
  • Vijayalakshmi Atluri
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9478)


In recent years, Role Based Access Control (RBAC) has emerged as the most popular access control mechanism, especially for commercial applications. In RBAC, permissions are assigned to roles, which are then assigned to users. The key to the effectiveness of RBAC is the underlying role set that is used. The process of identifying an appropriate set of roles that optimally meets the organizational requirements is called role mining. One of the most useful constraints that can be expressed in RBAC is Separation of Duty (SoD). SoD constraints allow organizations to put a restriction on the minimum number of users required to complete a critical task. However, existing role mining algorithms do not handle SoD constraints and cannot be easily extended to incorporate SoD constraints. In this paper, we consider the problem of role mining when SoD constraints are present. We develop three alternative approaches that can be applied either during or after role mining. We evaluate the performance of all three approaches on several real world data sets and demonstrate their effectiveness.


RBAC Role mining Separation of duty SMER constraints 


  1. 1.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role based access control models. IEEE Comput. 29, 38–47 (1996)CrossRefGoogle Scholar
  2. 2.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Richard Kuhn, D., Chandramouli, R.: Proposed NIST standard for role-based access control. In: ACM TISSEC, pp. 224–274 (2001)Google Scholar
  3. 3.
    Zhang, D., Kotagiri, R., Tim, E.: Role engineering using graph optimization. In: ACM SACMAT, pp. 139–144 (2007)Google Scholar
  4. 4.
    Vaidya, J., Atluri, V., Guo, Q.: The role mining problem: finding a minimal descriptive set of roles. In: ACM SACMAT, pp. 175–184 (2007)Google Scholar
  5. 5.
    Lu, H., Vaidya, J., Atluri, V.: Optimal boolean matrix decomposition: application to role engineering. In: IEEE ICDE, pp. 297–306 (2008)Google Scholar
  6. 6.
    John, J.C., Sural, S., Atluri, V., Vaidya, J.S.: Role mining under role-usage cardinality constraint. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 150–161. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  7. 7.
    Li, N., Tripunitara, M.V., Bizri, Z.: On mutually exclusive roles and separation of duty. In: ACM TISSEC, pp. 5–39 (2007)Google Scholar
  8. 8.
    Alina, E., William, H., Nikola, M., Prasad, R., Robert, S., Robert, T.E.: Fast exact and heuristic methods for role minimization problems. In: ACM SACMAT, pp. 1–10 (2008)Google Scholar
  9. 9.
    Kumar, R., Sural, S., Gupta, A.: Mining RBAC roles under cardinality constraint. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 171–185. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  10. 10.
    Vaidya, J., Atluri, V., Warner, J.: Role miner: mining roles using subset enumeration. In: ACM CCS, pp. 144–153 (2006)Google Scholar
  11. 11.
    Lu, H., Vaidya, J., Atluri, V., Hong, Y.: Constraint-aware role mining via extended boolean matrix decomposition. In: IEEE TDSC, pp. 655–669 (2012)Google Scholar
  12. 12.
    Coyne, E.J.: Role engineering. In: ACM Workshop on RBAC, pp. 15–16 (1996)Google Scholar
  13. 13.
    Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S.B., Lobo, J.: Mining roles with multiple objectives. In: ACM TISSEC, pp. 1–35 (2010)Google Scholar
  14. 14.
    Harika, P., Nagajyothi, M., John, J.C., Sural, S., Vaidya, J., Atluri, V.: Meeting cardinality constraints in role mining. IEEE TDSC 12(1), 71–84 (2015)Google Scholar
  15. 15.
    Ye, W., Li, R., Gu, X., Li, Y., Wen, K.: Role mining using answer set programming. In: FGCS (2014)Google Scholar
  16. 16.
    Li, R., Li, H., Gu, X., Li, Y., Ye, W., Ma, X.: Role mining based on cardinality constraints. In: Concurrency and Computation Practice and Experience (2015). doi: 10.1002/cpe.3456
  17. 17.
    Ma, X., Li, R., Wang, H., Li, H.: Role mining based on permission cardinality constraint and user cardinality constraint. In: Security and Communication Networks (2014). doi: 10.1002/sec.1177

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Prasuna Sarana
    • 1
  • Arindam Roy
    • 2
  • Shamik Sural
    • 1
  • Jaideep Vaidya
    • 3
  • Vijayalakshmi Atluri
    • 3
  1. 1.School of Information TechnologyIIT KharagpurKharagpurIndia
  2. 2.Advanced Technology Development CentreIIT KharagpurKharagpurIndia
  3. 3.MSIS DepartmentRutgers UniversityNewarkUSA

Personalised recommendations