{"title":"Practical risk aggregation in RBAC models","authors":"Suresh Chari, Jorge Lobo, Ian Molloy","doi":"10.1145/2295136.2295158","DOIUrl":null,"url":null,"abstract":"This paper describes our system, built as part of a commercially available product, for inferring the risk in an RBAC policy model, i.e., the assignment of permissions to roles and roles to users. Our system implements a general model of risk based on any arbitrary set of properties of permissions and users. Our experience shows that fuzzy inferencing systems are best suited to capture how humans assign risk to such assignments. To implement fuzzy inferencing practically we need the axiom of monotonicity, i.e., risk can not decrease when more permissions are assigned to a role or when the role is assigned to fewer users. We describe the visualization component which administrators can use to infer aggregate risk in role assignments as well as drill down into which assignments are actually risky. Administrators can then use this knowledge to refactor roles and assignments.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"1 1","pages":"117-118"},"PeriodicalIF":0.0000,"publicationDate":"2012-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2295136.2295158","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 6
Abstract
This paper describes our system, built as part of a commercially available product, for inferring the risk in an RBAC policy model, i.e., the assignment of permissions to roles and roles to users. Our system implements a general model of risk based on any arbitrary set of properties of permissions and users. Our experience shows that fuzzy inferencing systems are best suited to capture how humans assign risk to such assignments. To implement fuzzy inferencing practically we need the axiom of monotonicity, i.e., risk can not decrease when more permissions are assigned to a role or when the role is assigned to fewer users. We describe the visualization component which administrators can use to infer aggregate risk in role assignments as well as drill down into which assignments are actually risky. Administrators can then use this knowledge to refactor roles and assignments.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
