Article history: Received 28 July 2010 Received in revised form 30 November 2010 Accepted 30 November 2010 Available online 13 December 2010

In this paper we describe a new probabilistic approach to the role engineering process for RBAC. In particular, we address the issue of minimizing the number of roles, problem known in literature as the Basic Role Mining Problem (basicRMP). We leverage the equivalence of the above issue with the vertex coloring problem. Our main result is the proof that the minimum number of roles is sharply co...

OASIS is a distributed RBAC implementation with many extensions. Sound policy design will permit OASIS to protect the distributed resources whose access privileges it controls. However, through operating in a distributed environment, the underlying OASIS infrastructure is open to a number of potential attacks. This paper identifies three main classes of such attack and introduces techniques to ...

Binding of Duty (BOD) constraints define that the same subject (or role) who performed a certain task t1 must also perform a corresponding bound task t2. In this paper, we describe algorithms for checking the satisfiability of binding constraints in a business process context. In particular, these algorithms check the configuration of a process-related RBAC model to find satisfiability conflict...

Privacy concerns keep users from sharing required information in a collaborative environment. There is a need of privacy preserving methods that can enhance flow of information among collaborating users in dynamic teams without compromising their privacy. We describe a user-defined rolebased sharing control model and architecture that uses hybrid roles and hybrid sharing control policy for the ...

We propose a framework to evaluate the risk incurred when managing users and permissions through RBAC. The risk analysis framework does not require roles to be defined, thus making it applicable before the role engineering phase. In particular, the proposed approach highlights users and permissions that markedly deviate from others, and that might consequently be prone to error when roles are o...

In this paper we address the problem of reducing the role mining complexity in RBAC systems. To this aim, we propose a three steps methodology: first, we associate a weight to roles; second, we identify user-permission assignments that cannot belong to roles with a weight exceeding a given threshold; and third, we restrict the role-finding problem to user-permission assignments identified in th...

In this paper we investigate one aspect of RBAC administration concerning assignment of users to roles. A user-role assignment model can also be used for managing user-group assignment. We overview a constrained user-group assignment model and describe its implementation in the Linux system. Rather than set user and file rights individually for each and every user, the administrator can give ri...

The ability to control access to sensitive data in accordance with policy is perhaps the most fundamental security requirement. Despite over four decades of security research, the limited ability for existing access control mechanisms to generically enforce policy persists. While researchers, practitioners and policy makers have specified a large variety of access control policies to address re...

The rapid emergence of GPS enabled devices, sensors and mobile equipment in commercial as well as government organizations has led to considerable research in timeand location-based access control schemes. Location-based access policies enhance the security of an application by restricting access to an object only from specified locations. On the other hand, temporal constraints provide granula...