A business-driven decomposition methodology for role mining

It is generally accepted that role mining—that is, the discovery of roles through the automatic analysis of data from existing access control systems—must count on business requirements to increase its effectiveness. Indeed, roles elicited without leveraging on business information are unlikely to be intelligible by system administrators. A business-oriented categorization of users and permissions (e.g., organizational units, job titles, cost centers, business processes, etc.) could help administrators identify the job profiles of users and, as a consequence, which roles should be assigned to them. Nonetheless, most of the existing role mining techniques yield roles that have no clear relationship with the business structure of the organization where the role mining is being applied. To face this problem, we propose a methodology that allows role engineers to leverage business information during the role finding process. The key idea is decomposing the dataset to analyze into several partitions, in a way that each partition is homogeneous from a business perspective. Each partition groups users or permissions with the same business categorization (e.g., all the users belonging to the same department, or all the permissions that support the execution of the same business process). Such partitions are then role-mined independently, hence achieving three main results: (1) elicited roles have a clearer relationship with business information; (2) mining algorithms do not seek to find commonalities among users with fundamentally different job profiles or among uncorrelated permissions; and, (3) any role mining algorithm can be used in conjunction with our approach.When several business attributes are available, analysts need to figure out which one produces the decomposition that leads to the most intelligible roles. In this paper, we describe three indexes that drive the decomposition process by measuring the quality of a given decomposition: entrustability, minability gain, and similarity gain. We compare these indexes, pointing out pros and cons. Finally, we apply our methodology on real enterprise data, showing its effectiveness and efficiency in supporting role engineering.