TR 2008 - 624 Making RBAC Work in Dynamic , Fast - Changing Corporate Environments Senior Honors

In large organizations with tens of thousands of employees, managing individual people’s permissions is tedious and error prone, and thus a possible source of security risks. RoleBased Access Control addresses this problem by grouping users into roles, which reflect job functions in the corporation. Permissions are assigned to roles instead of directly to users, which means that all users assigned to a role have the same set of permissions with respect to that role. However, adoption of RBAC in organizations such as investment banks is hindered by two main factors: first, it is costly and time-consuming to define roles. Second, there are certain job functions (such as “consultant”) that cannot be expressed as RBAC roles, because their users need to have different permission sets. The topic of this thesis is to investigate whether roles can be applied to domains that exhibit the peculiarities of the investment bank example. We introduce a new framework for roles that allows us to separately represent what the role means as a job function and what permissions its individual users have. That way we maintain the key property of RBAC – that the number of roles is small, while allowing for variations among users. We have also investigated machine learning approaches in order to figure out whether roles are concepts that can be learned or approximated by a function. We present our findings that certain learning schemes, such as Probably Approximately Correct (PAC) earning and Instancebased learning are not applicable to roles, while others – such as decision-tree learning, might be useful.