| Role-based access control(RBAC) model is widely investigated and used because of its good applicability and high flexibility. In this model, users are associated with roles, and roles are associated with permissions. Granting or revoking permissions from users is completed by assigning or canceling roles to users. This model implements the logic separation of users and permissions. Given that role setting is critical for the safety and flexibility of permission management, role design and maintenance are always the core work of building and managing the RBAC system. The relative methods are referred to as role engineering methods. With the development of information technology, information systems have become increasingly complex and diverse. This phenomenon brings high requirements of designing and maintaining roles. To address this challenge, the automatic role engineering method has been widely investigated. As an important method of data mining and knowledge discovery, concept lattice has the ability to automatically cluster and build hierarchy. Concept lattice is used for designing and maintaining a role hierarchy structure that satisfies the constraints. Based on the relative theories of concept lattice, this paper examines role building, role updating, and role merging. The main contributions of this paper are as follows:(1) Classic top-down engineering method, which mainly depends on the level of personal experience and knowledge of domain experts, may lack some authority and functional requirements. Based on the classical method, a semi-automatic role engineering method and a role exploration algorithm are proposed using the attribute exploration theory of concept lattice. Through interactive query, this method can semi-automatically analyze and restore background knowledge of experts and complete the analysis process of role engineering to avoid omitting scenarios, cases, and roles. This interactive role discovery algorithm can automatically generate the hierarchy of role using the Hasse diagram of concept lattice.(2) In the bottom-up role engineering method, the role hierarchy structure built by the role mining method of concept lattice obtains a large number of redundant roles. This phenomenon increases the complexity of system management. Therefore, to find the minimum character set that meets the principle of least privilege, the role replacement-driven minimum role set-solving model is established. Solving this model is a difficult NP problem. To reduce time complexity, a replacement and reduction-based greedy algorithm is designed. In the experiments using random data, the accuracy of the proposed algorithm is higher than that of classical algorithms by 12%-62% in the case of users and higher by 0%-34.4% in the case of permissions. The experiments and analysis show that the number of users and the permissions gap are large, and that the accuracy of the proposed algorithm is better than that of other algorithms. The results of experiments using real-world data also show that the number of roles mined by proposed algorithm is less than that of other algorithms.(3) In a complex information system, the access permissions of the subject to the object change over time. This phenomenon requires automatic updating of the role hierarchy based on concept lattice. Research is scarce on the decremental updating algorithm for deleting object and attribute from concept lattice. Therefore, by analyzing the change rules of the reflection relation and edges between the original lattice nodes and the new lattice nodes, decremental updating algorithms for removing several objects or attributes based on the original concept lattice are investigated. These algorithms can incrementally adjust the nodes and the Hasse diagram of concept lattice based on the original concept lattice. These algorithms can also satisfy the requirements of the role hierarchy for automatic updates. The time complexity in the worst case is O(|L|?|G|?|M|). In the experiments using random data, the run times of decremental algorithms based on object and attribute are lower than those of classical algorithms by 71.4% and 73.2%, respectively. The results of experiments using real-world data show that, run times of the proposed algorithms can satisfy the performance requirements of updating roles.(4) When several RBAC systems are merged into an RBAC system, the main work is to merge the roles and the hierarchy structure. In the role engineering method based on concept lattice, the union of concept lattice is used to complete the merging of roles and its hierarchy structure. The time performances of existing union algorithms are limited. Therefore, more effective concept lattice vertical and horizontal merging algorithms are proposed. In these algorithms, the concepts in a sub-lattice are incrementally inserted one by one to another sub-lattice. In the inserting process, algorithms can drastically reduce the comparisons among the concepts by utilizing the structures of the original sub-lattices. The time complexity in the worst case is O(|L1|?|L2|?|G|3?|M|). Compare with the existing algorithm, the time complexity of proposed algorithms decreases |M|. The experiments using random data show that compared with the existing algorithm, the vertical and horizontal merging algorithms save 82% and 96.3% of time in the best case, respectively. The results of experiments using real-world data show that, the time performance of the algorithm can satisfy the time requirements of merging roles and their hierarchy in an RBAC system based on concept lattice.
|
PDF Full Text Request