12 month project summary

The main focus if this project is investigation into various techniques of bottom up role engineering for the development of a comprehensive infrastructure for Role Based Access Control. Since commencement of the research project, detailed analysis of the research area has been performed and two algorithms that address open issues in existing algorithms have been proposed.

Future work exists for both of the proposed algorithms. The first approach is a frequent pattern approach for role engineering and this can be extended to identify closed or maximal frequent itemsets. This reduce the number of generated candidate permission sets. Using this approach would also eliminate the need for removing roles that were not explicitly assigned to any users. Results returned from frequent closed permission set mining could then be used to produce the role hierarchy.

The second algorithm is the graph optimisation approach and can be tested using different optimisation rules with different metrics. Doing so may identify interesting properties of each algorithm.

Both of these approaches can also be tested on more data. The current project is being sponsored by CA (formerly Computer Associates). CA has provided some policy data that provides information on users and access rights from large corporations. Investigations on actual permission data can be done to justify the practicality of our proposed approaches. This testing on CA gathered data for extraction of roles from real companies may involve the creation of a more general purpose prototype that moves the theoretical ideas of the project onto some more solid practical foundations.

While practical applications of the algorithms are important, more testing on theoretical foundations also need to be done. This requires a large set of synthetic test data. This test data can be generated artificially by creating permissions, users and roles in a RBAC model and extracting the direct user permission relationships. This data can then be manipulated by different algorithms in the attempt to recreate the original artificial RBAC model with users, permissions and roles.

The lack of sufficient test data needs to be addressed within the whole area of role engineering, not just for our algorithms. One of the future goals of this project is to create this large synthetic data test suite. This data can be used for our testing to verify our algorithms. The data can also be made available to other researchers in role engineering to test their algorithms.

The result of such a publicly available test suite is a set of results that are comparable. Different approaches on a comprehensive comparison technique can be proposed. One such technique is to place each result into a graph and compare subtree sections. Another proposal can be to create an algorithm that can map from one RBAC infrastructure to another for comparison.
The majority of existing algorithms assume clean noiseless data. Our proposed frequent pattern approach deals with incorrect assignments to an extent but analysis of access logs can further our clean our data. Preprocessing algorithms may involve analysis of access logs to removing inactive permissions before bottom up role engineering algorithms are performed.

The improvement of previous approaches and the creation of pre and post processing for the role engineering techniques will be our main focus for future research in this project.

The intention is to convert the current Masters by Research into a PhD. A department seminar has been given and approval has been granted by the research committee. Due to the conversion, final thesis preparation will occur during 2009 for the new PhD thesis deadline.